Project

General

Profile

Actions

Bug #17005

closed

CVE-2016-9593: Filter out passwords from answer file and cert keys

Added by Lukas Zapletal about 8 years ago. Updated over 6 years ago.

Status:
Closed
Priority:
Normal
Category:
foreman-debug
Target version:
Difficulty:
Triaged:
Fixed in Releases:
Found in Releases:

Description

Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:

./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml

Sample entry (I have used XXXXXX to mask password)

"capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
"foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
"katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
"katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX

The following log files captured also contained passwords:

./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log

Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)

[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'

The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:

./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem

Actions #1

Updated by The Foreman Bot about 8 years ago

  • Status changed from New to Ready For Testing
  • Pull request https://github.com/theforeman/foreman/pull/3952 added
Actions #2

Updated by Daniel Lobato Garcia about 8 years ago

  • Target version set to 1.5.2
Actions #4

Updated by Dominic Cleal almost 8 years ago

Lukas Zapletal wrote:

CVE-2016-9593

If you've requested a CVE for this issue, please follow the Security_process! It should be listed on the Foreman security page and you should be consulting or notifying the foreman-security list.

Actions #5

Updated by Lukas Zapletal almost 8 years ago

  • Status changed from Ready For Testing to Closed
  • % Done changed from 0 to 100
Actions #6

Updated by Dominic Cleal almost 8 years ago

  • Translation missing: en.field_release set to 209
Actions #7

Updated by Daniel Lobato Garcia almost 8 years ago

  • Target version changed from 1.5.2 to 1.11.0
Actions #8

Updated by Lukas Zapletal almost 8 years ago

  • Subject changed from Filter out passwords from answer file and cert keys to CVE-2016-9593: Filter out passwords from answer file and cert keys

I haven't requested anything, Dominic. This is low score, leaving this on 1.15.

https://github.com/theforeman/theforeman.org/pull/824

Actions #9

Updated by Dominic Cleal almost 8 years ago

Whoever decided to assign a CVE identifier to an issue in Foreman should in future bother notifying .

Actions

Also available in: Atom PDF