XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.0.0.DR10
    • 7.0.0.DR8
    • Security
    • None
    • Hide

      1) Start server and execute following CLI commands:

      ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)'
      ./jboss-cli.sh -c ":shutdown"
      

      2) Check output of command:

      ls -l ${SERVER_HOME}/standalone/data/audit-log.log
      
      Show
      1) Start server and execute following CLI commands: ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)' ./jboss-cli.sh -c ":shutdown" 2) Check output of command: ls -l ${SERVER_HOME}/standalone/data/audit-log.log

      Server logs sensitive information into a world readable audit.log file. This information could be used by a local attacker to gain otherwise protected information about user sessions etc.

      This issue was originally reported as CVE in https://bugzilla.redhat.com/show_bug.cgi?id=1063642. EAP 6.x branches are fixed but same issue occurs in EAP 7 again.

              istudens@redhat.com Ivo Studensky
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: