Bug 1645263 - Auth plugins leave passwords in the access log and audit log using REST [rhel-7.6.z]
Summary: Auth plugins leave passwords in the access log and audit log using REST [rhel...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: All
OS: Linux
high
high
Target Milestone: rc
: ---
Assignee: Dinesh Prasanth
QA Contact: Asha Akkiangady
Marc Muehlfeld
URL:
Whiteboard:
Depends On: 1617894
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-11-01 18:42 UTC by Oneata Mircea Teodor
Modified: 2019-01-29 17:22 UTC (History)
10 users (show)

Fixed In Version: pki-core-10.5.9-8.el7_6
Doc Type: Bug Fix
Doc Text:
Previously, the Certificate System REST API did not filter out plain password values. As a consequence, passwords were visible in clear text in log files. With this update, the server replaces password attribute values with "(sensitive)". As a result, clear text passwords are no longer visible in logs.
Clone Of: 1617894
Environment:
Last Closed: 2019-01-29 17:21:57 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0168 0 None None None 2019-01-29 17:22:00 UTC

Description Oneata Mircea Teodor 2018-11-01 18:42:30 UTC
This bug has been copied from bug #1617894 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-11-30 00:09:17 UTC
Test Procedure:
* https://bugzilla.redhat.com/show_bug.cgi?id=1617894#c3

Comment 3 Matthew Harmsen 2018-11-30 00:26:52 UTC
commit b53d4f5f135432d6bc25b4bc0def1ea4b44705a4
Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
Date:   Mon Oct 1 16:25:08 2018 -0400

    Fixes password leak of Auth plugins to Audit Logs (#57)
    
    * Auth plugin adds `(sensitive)` instead of plain passwords
    to AuditLogs
    * Added generic `isSensitive()` to identify Passwords before logging
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
    
    (cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1)

Comment 4 Matthew Harmsen 2018-11-30 00:32:58 UTC
(In reply to Matthew Harmsen from comment #3)
> commit b53d4f5f135432d6bc25b4bc0def1ea4b44705a4
> Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
> Date:   Mon Oct 1 16:25:08 2018 -0400
> 
>     Fixes password leak of Auth plugins to Audit Logs (#57)
>     
>     * Auth plugin adds `(sensitive)` instead of plain passwords
>     to AuditLogs
>     * Added generic `isSensitive()` to identify Passwords before logging
>     
>     Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
>     
>     (cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1)

Cherry-picked to DOGTAG_10_5_9_RHEL_BRANCH

Comment 5 Matthew Harmsen 2018-12-05 18:39:04 UTC
DOGTAG_10_5_BRANCH:

commit cc2b50fac7542476aef222ab5f1d49d86e38cba1
Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
Date:   Mon Oct 1 16:25:08 2018 -0400

    Fixes password leak of Auth plugins to Audit Logs (#57)
    
    * Auth plugin adds `(sensitive)` instead of plain passwords
    to AuditLogs
    * Added generic `isSensitive()` to identify Passwords before logging
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>

Comment 6 Matthew Harmsen 2018-12-05 18:55:15 UTC
DOGTAG_10_5_RHEL_BRANCH:

commit b53d4f5f135432d6bc25b4bc0def1ea4b44705a4
Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
Date:   Mon Oct 1 16:25:08 2018 -0400

    Fixes password leak of Auth plugins to Audit Logs (#57)
    
    * Auth plugin adds `(sensitive)` instead of plain passwords
    to AuditLogs
    * Added generic `isSensitive()` to identify Passwords before logging
    
    Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
    
    (cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1)

Comment 7 Matthew Harmsen 2018-12-05 18:56:40 UTC
(In reply to Matthew Harmsen from comment #6)
> DOGTAG_10_5_RHEL_BRANCH:
> 
> commit b53d4f5f135432d6bc25b4bc0def1ea4b44705a4
> Author: Dinesh Prasanth M K <SilleBille@users.noreply.github.com>
> Date:   Mon Oct 1 16:25:08 2018 -0400
> 
>     Fixes password leak of Auth plugins to Audit Logs (#57)
>     
>     * Auth plugin adds `(sensitive)` instead of plain passwords
>     to AuditLogs
>     * Added generic `isSensitive()` to identify Passwords before logging
>     
>     Signed-off-by: Dinesh Prasanth M K <dmoluguw@redhat.com>
>     
>     (cherry picked from commit cc2b50fac7542476aef222ab5f1d49d86e38cba1)

should be DOGTAG_10_5_9_RHEL_BRANCH

Comment 13 errata-xmlrpc 2019-01-29 17:21:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0168


Note You need to log in before you can comment on or make changes to this bug.