Project

General

Profile

Actions
Copy link

Bug #17005

closed

CVE-2016-9593: Filter out passwords from answer file and cert keys

Added by Lukas Zapletal over 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Lukas Zapletal
Category:
foreman-debug
Target version:
1.15.0
Difficulty:
Triaged:
Bugzilla link:
1370168
Pull request:
https://github.com/theforeman/foreman/pull/3952
Fixed in Releases:
Found in Releases:
Red Hat JIRA:

Description

Executing a foreman-debug (foreman-debug-1.11.0.51-1.el7sat.noarch) I noticed it captured the following files containing passwords:

./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160728-13519-17pu8qt/default_values.yaml
./foreman-debug-2nCVG/etc/foreman-installer/scenarios.d/d20160816-116632-pc8k5j/default_values.yaml

Sample entry (I have used XXXXXX to mask password)

"capsule::params::pulp_admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::db_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "::foreman::params::admin_password": XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_key": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "foreman_proxy::params::oauth_consumer_secret": XXXXXXXXXXXXXXXXXXXXXXXXXX
  "katello::params::oauth_secret": "XXXXXXXXXXXXXXXXXXXXXXXXXXXXX" 
  "katello::params::post_sync_token": XXXXXXXXXXXXXXXXXXXXXXXXXXX

The following log files captured also contained passwords:

./foreman-debug-2nCVG/var/log/foreman-installer/satellite.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.2.log
./foreman-debug-2nCVG/var/log/foreman-installer/satellite.3.log

Sample entry of keystore passwords being captured (I have used XXXXXX to mask password)

[DEBUG 2016-07-28 14:24:13 main] Exec[import client certificate into Candlepin keystore](provider=posix): Executing 'openssl pkcs12 -export -name amqp-client -in /etc/pki/katello/certs/java-client.crt -inkey /etc/pki/katello/private/java-client.key -out /tmp/keystore.p12 -passout file:/etc/pki/katello/keystore_password-file && keytool -importkeystore -destkeystore /etc/candlepin/certs/amqp/candlepin.jks -srckeystore /tmp/keystore.p12 -srcstoretype pkcs12 -alias amqp-client -storepass XXXXXXXXXXXXXXXXXXXXXXXX -srcstorepass XXXXXXXXXXXXXXXX -noprompt && rm /tmp/keystore.p12'

The following keystore files were also collected by foreman-debug, the private keystore files are most concerning:

./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/prdl110.rtdomau.local.pem
./foreman-debug-2nCVG/var/lib/puppet/ssl/certs/ca.pem
./foreman-debug-2nCVG/etc/foreman/client_cert.pem
./foreman-debug-2nCVG/etc/foreman/client_key.pem
./foreman-debug-2nCVG/etc/foreman/proxy_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/foreman_ssl_key.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_ca.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_cert.pem
./foreman-debug-2nCVG/etc/foreman-proxy/ssl_key.pem

Actions
Copy link

Also available in: Atom PDF