Bug 1302062 - LDAP bind username and password being logged in plain text
LDAP bind username and password being logged in plain text
Status: CLOSED ERRATA
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Security (Show other bugs)
5.5.0
Unspecified Unspecified
high Severity high
: GA
: 5.5.3
Assigned To: Joe Vlcek
Milan Falešník
: ZStream
Depends On: 1297576
Blocks:
  Show dependency treegraph
 
Reported: 2016-01-26 11:46 EST by Chris Pelland
Modified: 2016-04-13 14:41 EDT (History)
12 users (show)

See Also:
Fixed In Version: 5.5.3.2
Doc Type: Bug Fix
Doc Text:
Previously, when the system was binding with CloudForms, the password was being logged in plain text. This fix encrypts LDAP bind password when queuing to MiqQueue. As a result, the password is now logged encrypted.
Story Points: ---
Clone Of: 1297576
Environment:
Last Closed: 2016-04-13 14:41:57 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Comment 2 CFME Bot 2016-01-26 18:47:31 EST
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=e4e2fab0f0b72d076cc9e37f243d651b4617aba5

commit e4e2fab0f0b72d076cc9e37f243d651b4617aba5
Merge: 35f88d4 c4d55fc
Author:     Dan Clarizio <dclarizi@redhat.com>
AuthorDate: Tue Jan 26 18:45:56 2016 -0500
Commit:     Dan Clarizio <dclarizi@redhat.com>
CommitDate: Tue Jan 26 18:45:56 2016 -0500

    Merge branch 'bz_1302062' into '5.5.z'
    
    When logging, mask LDAP credentials in nested hashes
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1302062
    
    (cherry picked from commit ee20bc1)
    
    Cherry picked from https://github.com/ManageIQ/manageiq/pull/6307
    
    The cherry pick of the spec file was not clean and needed to be done manually.
    The only conflict was the addition of the new tests, which I resolved manually
    by adding all of the new lines.
    
    I then confirmed the spec by running it.
    
    
    
    See merge request !752

 lib/vmdb/config.rb           | 22 +++++++++-------
 spec/lib/vmdb/config_spec.rb | 61 ++++++++++++++++++++++++++++++++++++++++++++
 2 files changed, 74 insertions(+), 9 deletions(-)
Comment 7 CFME Bot 2016-02-11 14:38:23 EST
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=6dc402f5645b4317e0b790334a1237c7b18d3526

commit 6dc402f5645b4317e0b790334a1237c7b18d3526
Author:     Joe VLcek <jvlcek@redhat.com>
AuthorDate: Fri Feb 5 15:21:49 2016 -0500
Commit:     Joe VLcek <jvlcek@redhat.com>
CommitDate: Thu Feb 11 10:11:15 2016 -0500

    Encrypt ldap bind password when queuing to MiqQueue
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1302062
    
    PR: https://github.com/ManageIQ/manageiq/pull/6539
    
    Cherry Pick was not clean.
      Conflicts showed up in spec/models/authenticator/ldap_spec.rb
      due to earlier updates to the spec that are not cherry picked

 app/models/authenticator.rb              | 10 ++++++++++
 spec/models/authenticator/amazon_spec.rb |  1 +
 spec/models/authenticator/httpd_spec.rb  |  1 +
 spec/models/authenticator/ldap_spec.rb   | 26 +++++++++++++++++++++++++-
 4 files changed, 37 insertions(+), 1 deletion(-)
Comment 8 CFME Bot 2016-02-11 14:38:28 EST
New commit detected on cfme/5.5.z:
https://code.engineering.redhat.com/gerrit/gitweb?p=cfme.git;a=commitdiff;h=c2694eb2edd6804ad9154ce47b67884028c070ee

commit c2694eb2edd6804ad9154ce47b67884028c070ee
Merge: 8f39f21 6dc402f
Author:     Joe Rafaniello <jrafanie@redhat.com>
AuthorDate: Thu Feb 11 14:34:11 2016 -0500
Commit:     Joe Rafaniello <jrafanie@redhat.com>
CommitDate: Thu Feb 11 14:34:11 2016 -0500

    Merge branch 'bz_1302062_2' into '5.5.z'
    
    Encrypt ldap bind password when queuing to MiqQueue
    
    https://bugzilla.redhat.com/show_bug.cgi?id=1302062
    
    PR: https://github.com/ManageIQ/manageiq/pull/6539
    
    Cherry Pick was not clean.
      Conflicts showed up in spec/models/authenticator/ldap_spec.rb
      due to earlier updates to the spec that are not cherry picked
    
    See merge request !781

 app/models/authenticator.rb              | 10 ++++++++++
 spec/models/authenticator/amazon_spec.rb |  1 +
 spec/models/authenticator/httpd_spec.rb  |  1 +
 spec/models/authenticator/ldap_spec.rb   | 26 +++++++++++++++++++++++++-
 4 files changed, 37 insertions(+), 1 deletion(-)
Comment 10 Milan Falešník 2016-03-24 09:37:40 EDT
Checked in 5.5.3.2.

I have set up an LDAP login and logged in with an LDAP user, then I grepped all the logfiles of CFME and there is no mention of the bind password.
Comment 12 errata-xmlrpc 2016-04-13 14:41:57 EDT
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2016:0616

Note You need to log in before you can comment on or make changes to this bug.