Bug #17005
closedCVE-2016-9593: Filter out passwords from answer file and cert keys
Description
Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml
Sample entry (I have used XXXXXX to mask password)
"capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
"katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX
The following log files captured also contained passwords:
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log
Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)
[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'
The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem
Updated by The Foreman Bot about 8 years ago
- Status changed from New to Ready For Testing
- Pull request https://github.com/theforeman/foreman/pull/3952 added
Updated by Lukas Zapletal about 8 years ago
CVE-2016-9593
Updated by Dominic Cleal almost 8 years ago
Lukas Zapletal wrote:
CVE-2016-9593
If you've requested a CVE for this issue, please follow the Security_process! It should be listed on the Foreman security page and you should be consulting or notifying the foreman-security list.
Updated by Lukas Zapletal almost 8 years ago
- Status changed from Ready For Testing to Closed
- % Done changed from 0 to 100
Applied in changeset 8c9db4bfea2f5fb14de2241dd7182a608baa7337.
Updated by Dominic Cleal almost 8 years ago
- Translation missing: en.field_release set to 209
Updated by Daniel Lobato Garcia almost 8 years ago
- Target version changed from 1.5.2 to 1.11.0
Updated by Lukas Zapletal almost 8 years ago
- Subject changed from Filter out passwords from answer file and cert keys to CVE-2016-9593: Filter out passwords from answer file and cert keys
I haven't requested anything, Dominic. This is low score, leaving this on 1.15.
Updated by Dominic Cleal almost 8 years ago
Whoever decided to assign a CVE identifier to an issue in Foreman should in future bother notifying foreman-security@googlegroups.com.