Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-1016

[AMQ7,Hawtio]AMQ 7 hawtio console store users password in browser’s local cache after user get logout

    XMLWordPrintable

Details

    • Release Notes
    • A security issue has been fixed for AMQ Console. Before, if you logged into AMQ Console, the value of the Password field was visible from local storage using Google Chrome Developer tools.
    • Documented as Resolved Issue
    • Hide

      1. Login to AMQ 7 hawtio console uisng Chrome.
      2. Enable Chrome Developer tools.
      3. Logout from the Hawtio.
      4. Check local storage for the key artemisPassword in Developer tools. Attached screen-shot for the refrence.

      Show
      1. Login to AMQ 7 hawtio console uisng Chrome. 2. Enable Chrome Developer tools. 3. Logout from the Hawtio. 4. Check local storage for the key artemisPassword in Developer tools. Attached screen-shot for the refrence.

    Description

      Security issue with AMQ 7 management console.

      After login to Management Console, in Management Console Preferences window at Artemis tab details the password field value is clearly visible in local storage key:value section using Chrome Developer tools.

      In local storage for the key artemisPassword, the value is the actual password, a user logged in to the admin console.

      This key value pair even available and visible even if user get log out from the console and close the browser.

      Attached is the screen-shot.

      Attachments

        1. AMQ1.png
          AMQ1.png
          160 kB
        2. AMQ2.png
          AMQ2.png
          276 kB

        Issue Links

          is duplicated by

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-1268 fix hawtio console security issue

          • Major - To be worked after higher priority work items are addressed. When the severity is high and the effort to change it is low to moderate, this term is chosen. Issues in this category likely have an existing workaround but implementation or execution may be non-trivial.
          • Closed
          relates to

          Bug - A problem that impairs or prevents the functions of the product. ENTMQBR-1701 Store login and password in local storage is not safe

          • Minor - To be worked after urgent, high, and medium priorities are resolved. This term is chosen when the severity of the issue is low, or the complexity or effort to correct it may be higher, relatively speaking. For low priority issues, known workarounds exist or are not needed due to the trivial effort needed to address the issue.
          • Closed
          is caused by

          ARTEMIS-1681 Loading...

          Activity

            People

              sknot@redhat.com Stanislav Knot (Inactive)
              rhn-support-shsingh Shailendra Singh
              Oleg Sushchenko Oleg Sushchenko
              Votes:
              0 Vote for this issue
              Watchers:
              9 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: