Bug #17005

CVE-2016-9593: Filter out passwords from answer file and cert keys

Added by Lukas Zapletal about 1 year ago. Updated 10 months ago.

Status:Closed
Priority:Normal
Assigned To:Lukas Zapletal
Category:foreman-debug
Target version:Team Daniel - Iteration 9
Difficulty: Bugzilla link:1370168
Found in release: Pull request:https://github.com/theforeman/foreman/pull/3952
Story points-
Velocity based estimate-
Release1.15.0Release relationshipAuto

Description

Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:

./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml

Sample entry (I have used XXXXXX to mask password)

"capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
"katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX

The following log files captured also contained passwords:

./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log

Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)

[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'

The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:

./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem

Associated revisions

Revision 8c9db4bf
Added by Lukas Zapletal 11 months ago

Fixes #17005 - more strict debug password filter

History

#1 Updated by The Foreman Bot about 1 year ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3952 added

#2 Updated by Daniel Lobato Garcia about 1 year ago

  • Target version set to Team Daniel - iteration 3

#4 Updated by Dominic Cleal 11 months ago

Lukas Zapletal wrote:

CVE-2016-9593

If you've requested a CVE for this issue, please follow the Security_process! It should be listed on the Foreman security page and you should be consulting or notifying the foreman-security list.

#5 Updated by Lukas Zapletal 11 months ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100

#6 Updated by Dominic Cleal 10 months ago

  • Release set to 1.15.0

#7 Updated by Daniel Lobato Garcia 10 months ago

  • Target version changed from Team Daniel - iteration 3 to Team Daniel - Iteration 9

#8 Updated by Lukas Zapletal 10 months ago

  • Subject changed from Filter out passwords from answer file and cert keys to CVE-2016-9593: Filter out passwords from answer file and cert keys

I haven't requested anything, Dominic. This is low score, leaving this on 1.15.

https://github.com/theforeman/theforeman.org/pull/824

#9 Updated by Dominic Cleal 10 months ago

Whoever decided to assign a CVE identifier to an issue in Foreman should in future bother notifying .

Also available in: Atom PDF