Bug 1297576 - LDAP bind username and password being logged in plain text
LDAP bind username and password being logged in plain text
Status: CLOSED NOTABUG
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Security (Show other bugs)
5.5.0
Unspecified Unspecified
high Severity high
: GA
: 5.6.0
Assigned To: Joe Vlcek
amogh
ldap
: ZStream
: 1297577 (view as bug list)
Depends On:
Blocks: 1302062
  Show dependency treegraph
 
Reported: 2016-01-11 17:39 EST by Jared Deubel
Modified: 2016-08-24 09:53 EDT (History)
10 users (show)

See Also:
Fixed In Version: 5.6.0.0
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1302062 (view as bug list)
Environment:
Last Closed: 2016-05-16 16:35:33 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Jared Deubel 2016-01-11 17:39:05 EST
Description of problem:
When the system is binding with CloudForms we are seeing that the password is being logged in plain text.
from evm.log which is world readable 
==========================================================================================
[----] I, [2016-01-11T12:31:42.333099 #11821:9d1994]  INFO -- : MIQ(MiqQueue.put) Message id: [777000000684681],  id: [], Zone: [Census CloudForms], Role: [], Server: [54e1b3c4-9f3e-11e5-886e-00505685525e], Ident: [generic], Target id: [], Instance id: [], Task id: [], Command: [Authenticator::Ldap.authorize], Timeout: [600], Priority: [20], State: [ready], Deliver On: [], Data: [], Args: [{:basedn=>"DC=test,DC=system,DC=com", :bind_dn=>"CF3-user@test.system.com", :bind_pwd=>"PLAIN TEXT PASSWORD", :get_direct_groups=>true, :group_memberships_max_depth=>2, :ldaphost=>["system01.test.system.com"], :ldapport=>"636", :mode=>"ldaps", :user_suffix=>"test.system.com", :user_type=>"samaccountname", :amazon_key=>nil, :amazon_secret=>nil, :ldap_role=>true, :amazon_role=>false, :httpd_role=>false, :user_proxies=>[{}], :follow_referrals=>false, :sso_enabled=>false, :domain_prefix=>"EAD"}, 777000000002661, "test\\user1"]
==========================================================================================


User password hashes are also being logged. 
==========================================================================================
[----] I, [2016-01-11T13:50:40.026319 #11803:467990]  INFO -- : MIQ(MiqQueue#m_callback) Message id: [777000000685759], Invoking Callback with args: ["Finished", "ok", "Message delivered successfully", "#<User id: 777000000000002, name: \"John Doe\", email: \"johndoe@test.system.com\", icon: nil, created_on: \"2015-12-10 18:07:32\", updated_on: \"2016-01-11 18:50:40\", userid: \"johndoe@test.system.com\", settings: {}, filters: nil, lastlogon: \"2016-01-11 18:50:40\", lastlogoff: \"2016-01-11 17:20:03\", region: 777, current_group_id: 777000000000002, first_name: \"John\", last_name: \"doe\", password_digest: \"$2a$19$j2XjeqPzVELR.TOZ1vB0wOpIID/hy/uXc1qipSGqDaC...\">"]
==========================================================================================



Version-Release number of selected component (if applicable):
5.5

How reproducible:
Very
Comment 2 Joe Vlcek 2016-01-22 16:48:01 EST
I've reproduced and root cased this. A fix is on the way.

JoeV
Comment 4 CFME Bot 2016-01-23 13:16:03 EST
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/edf9c91aef783dbd2d6233e25d885353811d46b5

commit edf9c91aef783dbd2d6233e25d885353811d46b5
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Jan 22 16:49:11 2016 -0500
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Fri Jan 22 17:41:39 2016 -0500

    When logging, mask LDAP credentials in nested hashes
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1297576

 lib/vmdb/config.rb           | 22 +++++++++++--------
 spec/lib/vmdb/config_spec.rb | 50 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 63 insertions(+), 9 deletions(-)
Comment 5 CFME Bot 2016-01-26 18:47:26 EST
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=d4c786e84a24e3450fb9cd0c565d1de5e313f51b

commit d4c786e84a24e3450fb9cd0c565d1de5e313f51b
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Jan 22 16:49:11 2016 -0500
Commit:     Joe Rafaniello <jrafanie@redhat.com>
CommitDate: Tue Jan 26 17:42:50 2016 -0500

    When logging, mask LDAP credentials in nested hashes
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1297576

 lib/vmdb/config.rb           | 22 +++++++++-------
 spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 9 deletions(-)
Comment 6 Gregg Tanzillo 2016-02-02 07:12:53 EST
*** Bug 1297577 has been marked as a duplicate of this bug. ***
Comment 7 Joe Vlcek 2016-02-03 09:58:25 EST
Reopening:

Turns out there are multiple places in the code that attempt to clean
output for logging. Thank's to help from Milan I have located the source
if other failures and will have a fix soon.
Comment 10 CFME Bot 2016-02-09 12:41:02 EST
New commit detected on ManageIQ/manageiq/master:
https://github.com/ManageIQ/manageiq/commit/56258a2397a7b5392c342596dd0a9af0ace0da9c

commit 56258a2397a7b5392c342596dd0a9af0ace0da9c
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Feb 5 15:21:49 2016 -0500
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Tue Feb 9 00:08:56 2016 -0500

    Encrypt ldap bind password when queuing to MiqQueue
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1297576

 app/models/authenticator.rb              | 10 ++++++++++
 spec/models/authenticator/amazon_spec.rb |  1 +
 spec/models/authenticator/httpd_spec.rb  |  1 +
 spec/models/authenticator/ldap_spec.rb   | 24 ++++++++++++++++++++++++
 4 files changed, 36 insertions(+)
Comment 11 CFME Bot 2016-02-11 11:02:54 EST
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=dbe4d18d8c9f3e732833da17d76705d71d6e4ee1

commit dbe4d18d8c9f3e732833da17d76705d71d6e4ee1
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Jan 22 16:49:11 2016 -0500
Commit:     Milan Zazrivec <mzazrivec@redhat.com>
CommitDate: Mon Feb 1 14:03:28 2016 +0100

    When logging, mask LDAP credentials in nested hashes
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1297576

 lib/vmdb/config.rb           | 22 +++++++++-------
 spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 9 deletions(-)
Comment 13 CFME Bot 2016-02-15 10:42:51 EST
Detected commit referencing this ticket while ticket status is MODIFIED.
Comment 14 amogh 2016-05-12 15:26:47 EDT
bind_pwd is FILTERED in evm.log but grep is still listing the bind_pwd in plain text in apache/ssl_access.log.


[root@host-192-168-100-51 log]# grep -ir bind_pwd .
./apache/ssl_access.log:10.13.129.33 - - [12/May/2016:14:45:13 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd= HTTP/1.1" 200 97
./apache/ssl_access.log:10.13.129.33 - - [12/May/2016:14:45:16 -0400] "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 200 97
./apache/ssl_request.log:[12/May/2016:14:45:13 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 97
./apache/ssl_request.log:[12/May/2016:14:45:16 -0400] 10.13.129.33 TLSv1.2 ECDHE-RSA-AES128-GCM-SHA256 "POST /ops/settings_form_field_changed/authentication?authentication_bind_pwd=<PLAIN TEXT HERE> HTTP/1.1" 97
./preconfigure-logs/evm.log:[----] I, [2016-05-11T20:18:21.174536 #12260:7af990]  INFO -- :     :bind_pwd: 

moving this bug on to DEV.
Comment 15 amogh 2016-05-12 15:28:58 EDT
verified this bug in 5.6.0.6-beta2.5.20160511140943_ff75fb2
Comment 17 amogh 2016-05-16 15:22:31 EDT
Joe,

here are the two separate BZ's for UI and Applaiance logs:

appliance: https://bugzilla.redhat.com/show_bug.cgi?id=1336541
webui: https://bugzilla.redhat.com/show_bug.cgi?id=1336538
Comment 18 amogh 2016-05-16 16:35:33 EDT
closing this bz, as this problem will be handled with two separate bz's commented above.

Note You need to log in before you can comment on or make changes to this bug.