1693777 – (CVE-2019-3888) CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

Bug 1693777 (CVE-2019-3888) - CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed

Summary: CVE-2019-3888 undertow: leak credentials to log files UndertowLogger.REQUEST_...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2019-3888
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1697231
Blocks:	1693780
TreeView+	depends on / blocked

Reported:	2019-03-28 15:41 UTC by Laura Pardo
Modified:	2021-02-16 22:11 UTC (History)
CC List:	80 users (show)
Fixed In Version:	undertow-core-2.0.20.Final-redhat-00001.jar
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-12 13:06:51 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2019:1419	None	None	None	2019-06-10 16:39:00 UTC
Red Hat Product Errata	RHSA-2019:1420	None	None	None	2019-06-10 16:43:15 UTC
Red Hat Product Errata	RHSA-2019:1421	None	None	None	2019-06-10 16:40:58 UTC
Red Hat Product Errata	RHSA-2019:1424	None	None	None	2019-06-10 16:51:55 UTC
Red Hat Product Errata	RHSA-2019:1456	None	None	None	2019-06-11 15:32:37 UTC
Red Hat Product Errata	RHSA-2019:2439	None	None	None	2019-08-12 11:54:53 UTC
Red Hat Product Errata	RHSA-2019:2998	None	None	None	2019-10-10 09:54:43 UTC
Red Hat Product Errata	RHSA-2020:0727	None	None	None	2020-03-05 12:53:44 UTC
Red Hat Product Errata	RHSA-2020:0983	None	None	None	2020-03-26 15:47:27 UTC

Description Laura Pardo 2019-03-28 15:41:29 UTC

A vulnerability was found in Undertow web server. An information exposure of plain text credentials through log files because Connectors.executeRootHandler:402 logs the HttpServerExchange object at ERROR level using UndertowLogger.REQUEST_LOGGER.undertowRequestFailed(t, exchange)

Comment 1 Darran Lofthouse 2019-03-28 19:10:37 UTC

FYI I am not sure the route this came in but a community contributed pull request is already in the queue potentially leaking information about it's existence https://github.com/undertow-io/undertow/pull/736

Comment 5 Laura Pardo 2019-04-10 16:55:28 UTC

Acknowledgments:

Name: Carter Kozak

Comment 6 Joshua Padman 2019-05-15 23:00:52 UTC

This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 8 errata-xmlrpc 2019-06-10 16:38:57 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6

Via RHSA-2019:1419 https://access.redhat.com/errata/RHSA-2019:1419

Comment 9 errata-xmlrpc 2019-06-10 16:40:56 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8

Via RHSA-2019:1421 https://access.redhat.com/errata/RHSA-2019:1421

Comment 10 errata-xmlrpc 2019-06-10 16:43:12 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7

Via RHSA-2019:1420 https://access.redhat.com/errata/RHSA-2019:1420

Comment 11 errata-xmlrpc 2019-06-10 16:51:52 UTC

This issue has been addressed in the following products:

  Red Hat JBoss Enterprise Application Platform

Via RHSA-2019:1424 https://access.redhat.com/errata/RHSA-2019:1424

Comment 13 errata-xmlrpc 2019-06-11 15:32:35 UTC

This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.3.2 zip

Via RHSA-2019:1456 https://access.redhat.com/errata/RHSA-2019:1456

Comment 16 Product Security DevOps Team 2019-07-12 13:06:51 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-3888

Comment 20 errata-xmlrpc 2019-08-12 11:54:50 UTC

This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 7

Via RHSA-2019:2439 https://access.redhat.com/errata/RHSA-2019:2439

Comment 21 errata-xmlrpc 2019-10-10 09:54:40 UTC

This issue has been addressed in the following products:

  Red Hat Openshift Application Runtimes

Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998

Comment 23 errata-xmlrpc 2020-03-05 12:53:38 UTC

This issue has been addressed in the following products:

  Red Hat Data Grid 7.3.3

Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727

Comment 24 errata-xmlrpc 2020-03-26 15:47:23 UTC

This issue has been addressed in the following products:

  Red Hat Fuse 7.6.0

Via RHSA-2020:0983 https://access.redhat.com/errata/RHSA-2020:0983

Note You need to log in before you can comment on or make changes to this bug.

aileenc
akoufoud
alazarot
almorale
anstephe
asoldano
avibelli
bbaranow
bgeorges
bmaxwell
bmcclain
brian.stansberry
cdewolf
chazlett
ckozak
csutherl
darran.lofthouse
dblechte
dfediuck
dimitris
dosoudil
drieden
eedri
etirelli
extras-orphan
fgavrilo
ibek
iweiss
janstey
jawilson
jbalunas
jochrist
jondruse
jpallich
jperkins
jshepherd
krathod
kverlaen
kwills
lef
lgao
lpetrovi
lthon
mgoldboi
michal.skrivanek
mnovotny
msochure
msvehla
mszynkie
myarboro
nwallace
paradhya
pdrozd
pgallagh
pgier
pmackay
ppalaga
psakar
pslavice
psotirop
puntogil
rguimara
rnetuka
rrajasek
rruss
rstancel
rsvoboda
rsynek
rzhang
sbonazzo
sdaley
security-response-team
sherold
smaestri
sthorger
tom.jenkinson
trogers
twalsh
vtunka
yturgema