Bug 1838401 (CVE-2020-10750) - CVE-2020-10750 jaegertracing/jaeger: credentials leaked to container logs
Summary: CVE-2020-10750 jaegertracing/jaeger: credentials leaked to container logs
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10750
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1838400
TreeView+ depends on / blocked
 
Reported: 2020-05-21 05:04 UTC by Mark Cooper
Modified: 2020-06-22 00:52 UTC (History)
7 users (show)

Fixed In Version: jaeger 1.18.1
Doc Type: If docs needed, set a value
Doc Text:
An information disclosure vulnerability was found in jaegertracing/jaeger. When the Kafka data store is used, this flaw allows an attacker with access to the container's log file to discover the Kafka credentials.
Clone Of:
Environment:
Last Closed: 2020-06-19 17:20:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:2636 None None None 2020-06-19 16:20:59 UTC

Description Mark Cooper 2020-05-21 05:04:15 UTC
When using Kafka as a storage back-end, Jaeger before 1.18.1 writes plaintext and kerberos credentials to the container log files. A low privileged user could read the logs within the pod to discover the Kafka credentials as the information is disclosed as log-level info - which is the default.

References:

https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1

Comment 2 Mark Cooper 2020-05-21 05:24:17 UTC
Looks like the issue is located here: https://github.com/jaegertracing/jaeger/blob/e46f87376bdd2a28864864eb385ff49a6aa76330/plugin/storage/kafka/factory.go#L69

    // Initialize implements storage.Factory
    func (f *Factory) Initialize(metricsFactory metrics.Factory, logger *zap.Logger) error {
	f.metricsFactory, f.logger = metricsFactory, logger
	logger.Info("Kafka factory",
		zap.Any("producer builder", f.Builder),
		zap.Any("topic", f.options.topic))

Logging f.Builder gets initialized a few lines before with f.options.Config which contains the credentials:
https://github.com/jaegertracing/jaeger/blob/e46f87376bdd2a28864864eb385ff49a6aa76330/plugin/storage/kafka/factory.go#L62

    // InitFromViper implements plugin.Configurable
    func (f *Factory) InitFromViper(v *viper.Viper) {
    	f.options.InitFromViper(v)
	f.Builder = &f.options.config
    }

The log file then looks like:
{"level":"info","ts":1590031704.5821817,"msg":"Kafka factory","producer builder":{"Brokers":["127.0.0.1:9092"],"RequiredAcks":1,"Compression":0,"CompressionLevel":0,"ProtocolVersion":"","BatchLinger":0,"BatchSize":0,"BatchMaxMessages":0,"Authentication":"none","Kerberos":{"ServiceName":"kafka","Realm":"","UseKeyTab":false,"Username":"","Password":"","ConfigPath":"/etc/krb5.conf","KeyTabPath":"/etc/security/kafka.keytab"},"TLS":{"Enabled":false,"CAPath":"","CertPath":"","KeyPath":"","ServerName":"","ClientCAPath":"","SkipHostVerify":false},"PlainText":{"UserName":"root","Password":"password"}},"topic":"jaeger-spans"}

So the issue isn't localized to just plain text auth but perhaps kerberos as well if used.

Comment 3 Mark Cooper 2020-05-21 07:25:17 UTC
Whilst OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported storage backing is ElasticSearch. Additionally in the documentation/notes, only ElasticSearch is supported also - hence marking OSSM as affected but wontfix.

Comment 4 Mark Cooper 2020-05-21 11:59:39 UTC
Acknowledgments:

Name: Carl Henrik Lunde (SpareBank 1)

Comment 10 RaTasha Tillery-Smith 2020-06-15 14:38:13 UTC
Statement:

While OpenShift ServiceMesh Jaeger does package the affected code (Kafka), the only supported data store is ElasticSearch. Additionally, in the documentation and notes, only ElasticSearch is supported, marking OpenShift ServiceMesh as affected but WONTFIX.

Comment 11 Joshua Padman 2020-06-19 10:33:59 UTC
Upstream release now available: https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1

Comment 12 errata-xmlrpc 2020-06-19 16:20:57 UTC
This issue has been addressed in the following products:

  Jaeger-1.17

Via RHSA-2020:2636 https://access.redhat.com/errata/RHSA-2020:2636

Comment 13 Product Security DevOps Team 2020-06-19 17:20:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10750

Comment 14 Mark Cooper 2020-06-21 23:27:05 UTC
External References:

https://github.com/jaegertracing/jaeger/releases/tag/v1.18.1


Note You need to log in before you can comment on or make changes to this bug.