Bug 888100 - rhc-chk -d displays database admin user's password.
rhc-chk -d displays database admin user's password.
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Hiro Asari
libra bugs
: Security, SecurityTracking
Depends On:
Blocks: CVE-2012-5658
  Show dependency treegraph
Reported: 2012-12-17 20:12 EST by Nam Duong
Modified: 2015-05-14 22:10 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2013-02-13 17:56:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
rhc-chk log (14.77 KB, text/x-log)
2012-12-20 04:46 EST, Jianwei Hou
no flags Details
rhc-chk log (9.00 KB, text/x-log)
2012-12-20 21:55 EST, joycezhang
no flags Details

  None (edit)
Description Nam Duong 2012-12-17 20:12:25 EST
Description of problem:
While debugging user environments over IRC, we often request the output to certain commands that end up being viewable by everyone on #openshift.  We recently found the 'rhc-chk -d' will display the user's database password.  We should obfuscate it.
Comment 1 Hiro Asari 2012-12-18 15:38:46 EST

The logs should have database information (as well as any other value indicated as "password") hidden, like this:

                connection_url: mysql://                        
                username: admin                                                    
                password: ! 'password: length 12 starting with YQ'                 
                database_name: foo                                                 
                info: ! 'Connection URL: mysql://'
Comment 2 Hiro Asari 2012-12-18 16:31:31 EST
Password should be "***" now.
Comment 3 Kurt Seifried 2012-12-20 01:28:53 EST
This still exposes the password length:

self[k] = "*" * v.length

it would be much better to assign a static length of ********'s in case the user has a very short password, this will let the attacker know that brute forcing it is possible.
Comment 4 Jianwei Hou 2012-12-20 04:45:48 EST
Tested on devenv_2613

1. Create apps and embed db cartridges
2. run "rhc-chk -d"
3. check log file

db passwords are still exposed, see attachment

            framework: jbossews-1.0
            creation_time: "2012-12-20T02:38:43-05:00"
                connection_url: mysql://
                password: 4ujyRP5USdxX
                database_name: ews1
                username: admin
                info: "Connection URL: mysql://"
            uuid: 440152af3f0647b99cb47eeb758740c7
Comment 5 Jianwei Hou 2012-12-20 04:46:22 EST
Created attachment 666571 [details]
rhc-chk log
Comment 6 Hiro Asari 2012-12-20 08:52:38 EST

Thank you for raising that point. Here's a new pull request to address it: https://github.com/openshift/rhc/pull/264


Where did you run 'rhc-chk'? The image devenv_2613 has the change needed, but the machine on which you ran 'rhc-chk' might not. The 'rhc' gem has not been released, so you'll have to either try it from source, or run it on the image itself.
Comment 7 joycezhang 2012-12-20 21:45:29 EST
This bug has been verified and fixed on devenv_2618. Please refer to the details as below:

1. Create a app and add all db cartridges.
2. Run "eval `ssh-agent`" and "ssh-add ~/.ssh/id_rsa" on instance
3. Run "rhc-chk -d" on instance
4.Check the generated log file.

All db passwords are displayed as "************" below:

                password: "************"
                info: "Connection URL: mongodb://"
                database_name: app1
                username: admin
                connection_url: mongodb://
                password: "************"
                info: "Connection URL: postgresql://"
                database_name: app1
                username: admin
                connection_url: postgresql://
                password: "************"
                info: "Connection URL: mysql://"
                database_name: app1
                username: admin
                connection_url: mysql://

Also attached the log file with details for your reference. 
Comment 8 joycezhang 2012-12-20 21:55:29 EST
Created attachment 667072 [details]
rhc-chk log
Comment 9 joycezhang 2012-12-20 22:51:26 EST
And the fixed version is rhc-1.3.2+ for this verification. Thanks.

Note You need to log in before you can comment on or make changes to this bug.