FreeIPA's batch API logs user passwords to /var/log/httpd/error_log. When the actual command is processed, the passwords get masked out, however when the batch command is logged it logs all parameters of the sub-commands including the sensitive ones.
Created attachment 1587101 [details] Candidate patch
Patch tested successfully. I also ran the ipatests/test_xmlrpc/test_batch_plugin.py tests without any issue. Example of output in /var/log/httpd/error_log when running in batch "ipa group_find" and "ipa passwd test SecretPwd": ipa: DEBUG: raw: batch(group_find(None), passwd('test', '********', None)) ipa: DEBUG: batch(group_find(None), passwd('test', '********', None)) ipa: DEBUG: raw: group_find(None, version='2.233') ipa: DEBUG: group_find(None, private=False, posix=False, external=False, nonposix=False, all=False, raw=False, version='2.233', no_members=True, pkey_only=False) ipa: INFO: admin: batch: group_find(None): SUCCESS ipa: DEBUG: raw: passwd('test', '********', None, version='2.233') ipa: DEBUG: passwd(ipapython.kerberos.Principal('test'), '********', '********', version='2.233') ipa: INFO: admin: batch: passwd('test', '********', None): SUCCESS ipa: INFO: [jsonserver_kerb] admin: batch(group_find(None), passwd('test', '********', None)): SUCCESS
How should we go about releasing this? Is the upstream reporter going to disclose this at some point? Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 matter? It is almost certainly affected too. Is a CVE going to be assigned?
(In reply to Rob Crittenden from comment #4) > How should we go about releasing this? Is the upstream reporter going to > disclose this at some point? I am the reporter of this, so I can answer part of your questions. I do not have plans to disclose this. I look forward to using the batch API when RedHat releases this fix. Your patch is better than the one I originally provided with the report because it logs more information than the original one did. Thanks. > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > matter? It is almost certainly affected too. > > Is a CVE going to be assigned?
In reply to comment #4: > How should we go about releasing this? Is the upstream reporter going to > disclose this at some point? > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > matter? It is almost certainly affected too. > This is rated as having moderate impact, so we will create unacked trackers for rhel-7/8. We dont plan to fix this for rhel-6 though. > Is a CVE going to be assigned? We will assign a cve id to this.
In reply to comment #5: > (In reply to Rob Crittenden from comment #4) > > How should we go about releasing this? Is the upstream reporter going to > > disclose this at some point? > > I am the reporter of this, so I can answer part of your questions. I do not > have plans to disclose this. I look forward to using the batch API when > RedHat releases this fix. Your patch is better than the one I originally > provided with the report because it logs more information than the original > one did. Thanks. > > > > > Can this wait for RHEL 8.1.0 and 7.8.0 or do we need z-streams? Does RHEL 6 > > matter? It is almost certainly affected too. > > > > Is a CVE going to be assigned? Hi Jamison, Since you reported this flaw, we would like to acknowledge you as the reporter. Are you ok with using your name "Jamison Bennett" as the reporter? or would you like something like "Jamison Bennett of Cloudera" ? Please let us know.
HI Huzaifa, Yes, that would be awesome to use something like "Jamison Bennett of Cloudera". Thank you for checking. Thanks, Jamison
Acknowledgments: Name: Jamison Bennett (Cloudera)
Statement: This vulnerability exists in the server component of FreeIPA. Client packages are not affected.
Releases 4.6.7, 4.7.4, and 4.8.3 are done for FreeIPA. The release tarballs are available in https://releases.pagure.org/freeipa.
Upstream commit: https://pagure.io/freeipa/c/02ce407f5e10e670d4788778037892b58f80adc0
Created freeipa tracking bugs for this issue: Affects: fedora-all [bug 1777147]
External References: https://www.freeipa.org/page/Releases/4.6.7 https://www.freeipa.org/page/Releases/4.7.4 https://www.freeipa.org/page/Releases/4.8.3
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2020:0378 https://access.redhat.com/errata/RHSA-2020:0378
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10195
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.0 Update Services for SAP Solutions Via RHSA-2020:1269 https://access.redhat.com/errata/RHSA-2020:1269