This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 888100 - rhc-chk -d displays database admin user's password.
rhc-chk -d displays database admin user's password.
Status: CLOSED CURRENTRELEASE
Product: OpenShift Origin
Classification: Red Hat
Component: Command Line Interface (Show other bugs)
2.x
Unspecified Unspecified
unspecified Severity high
: ---
: ---
Assigned To: Hiro Asari
libra bugs
: Security, SecurityTracking
Depends On:
Blocks: CVE-2012-5658
  Show dependency treegraph
 
Reported: 2012-12-17 20:12 EST by Nam Duong
Modified: 2015-05-14 22:10 EDT (History)
7 users (show)

See Also:
Fixed In Version:
Doc Type: Release Note
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-02-13 17:56:38 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
rhc-chk log (14.77 KB, text/x-log)
2012-12-20 04:46 EST, Hou Jianwei
no flags Details
rhc-chk log (9.00 KB, text/x-log)
2012-12-20 21:55 EST, zhangjing
no flags Details

  None (edit)
Description Nam Duong 2012-12-17 20:12:25 EST
Description of problem:
While debugging user environments over IRC, we often request the output to certain commands that end up being viewable by everyone on #openshift.  We recently found the 'rhc-chk -d' will display the user's database password.  We should obfuscate it.
Comment 1 Hiro Asari 2012-12-18 15:38:46 EST
https://github.com/openshift/rhc/pull/261

The logs should have database information (as well as any other value indicated as "password") hidden, like this:

            embedded:                                                              
              mysql-5.1:                                                           
                connection_url: mysql://127.0.250.129:3306/                        
                username: admin                                                    
                password: ! 'password: length 12 starting with YQ'                 
                database_name: foo                                                 
                info: ! 'Connection URL: mysql://127.0.250.129:3306/'
Comment 2 Hiro Asari 2012-12-18 16:31:31 EST
Password should be "***" now.
Comment 3 Kurt Seifried 2012-12-20 01:28:53 EST
This still exposes the password length:

self[k] = "*" * v.length

it would be much better to assign a static length of ********'s in case the user has a very short password, this will let the attacker know that brute forcing it is possible.
Comment 4 Hou Jianwei 2012-12-20 04:45:48 EST
Tested on devenv_2613

Steps:
1. Create apps and embed db cartridges
2. run "rhc-chk -d"
3. check log file

Result:
db passwords are still exposed, see attachment

ews1: 
            framework: jbossews-1.0
            creation_time: "2012-12-20T02:38:43-05:00"
            embedded: 
              mysql-5.1: 
                connection_url: mysql://127.1.2.129:3306/
                password: 4ujyRP5USdxX
                database_name: ews1
                username: admin
                info: "Connection URL: mysql://127.1.2.129:3306/"
            uuid: 440152af3f0647b99cb47eeb758740c7
            aliases:
Comment 5 Hou Jianwei 2012-12-20 04:46:22 EST
Created attachment 666571 [details]
rhc-chk log
Comment 6 Hiro Asari 2012-12-20 08:52:38 EST
Kurt,

Thank you for raising that point. Here's a new pull request to address it: https://github.com/openshift/rhc/pull/264

Jianwei,

Where did you run 'rhc-chk'? The image devenv_2613 has the change needed, but the machine on which you ran 'rhc-chk' might not. The 'rhc' gem has not been released, so you'll have to either try it from source, or run it on the image itself.
Comment 7 zhangjing 2012-12-20 21:45:29 EST
This bug has been verified and fixed on devenv_2618. Please refer to the details as below:

Steps:
1. Create a app and add all db cartridges.
2. Run "eval `ssh-agent`" and "ssh-add ~/.ssh/id_rsa" on instance
3. Run "rhc-chk -d" on instance
4.Check the generated log file.

Results:
All db passwords are displayed as "************" below:

embedded:
              mongodb-2.2:
                password: "************"
                info: "Connection URL: mongodb://127.0.252.1:27017/"
                database_name: app1
                username: admin
                connection_url: mongodb://127.0.252.1:27017/
              postgresql-8.4:
                password: "************"
                info: "Connection URL: postgresql://127.0.252.1:5432/"
                database_name: app1
                username: admin
                connection_url: postgresql://127.0.252.1:5432/
              mysql-5.1:
                password: "************"
                info: "Connection URL: mysql://127.0.252.1:3306/"
                database_name: app1
                username: admin
                connection_url: mysql://127.0.252.1:3306/


Also attached the log file with details for your reference. 
Thanks.
Comment 8 zhangjing 2012-12-20 21:55:29 EST
Created attachment 667072 [details]
rhc-chk log
Comment 9 zhangjing 2012-12-20 22:51:26 EST
And the fixed version is rhc-1.3.2+ for this verification. Thanks.

Note You need to log in before you can comment on or make changes to this bug.