Loading...

XML

Word

Printable

Details

Type: Task
Resolution: Done
Priority: Major
Fix Version/s: 7.13.1.GA, IBM BAMOE 8.0.1.GA
Affects Version/s: None
Component/s: Cloud
Labels:
- bamoe-verified

Blocked:
False
Blocked Reason:
None
Ready:
False
Affects:

Release Notes
Fix Build:
CR1
Target Release:

7.13.1.GA
Git Pull Request:
https://github.com/RHsyseng/operator-utils/pull/99, https://github.com/kiegroup/kie-cloud-operator/pull/825, https://github.com/kiegroup/kie-cloud-operator/pull/822
[QE] How to address?:
---
[QE] Why QE missed?:
---

Sprint:
2022 Week 29-31 (from Jul 18), 2022 Week 32-34 (from Aug 8)

SFDC Cases Counter:
SFDC Cases Links:

Description

The danger of using environment variables is that it's easy for the secrets to be accidentally leaked
through logging, as it's common for software to log its entire environment. The set of people who
have access to logs is often much bigger than the people who need production key values.
For this reason, many security experts recommend using the volume-mount approach, where your
code reads the secret value from a file in a well-known location. Most orchestrators support this
method of passing secrets into a container.
During pen test, it is observed that sensitive information like username and password are exposed in
environment variable. An attacker can access env variable and retrieve the sensitive information.
Username and password are exposed in pod logs

Attachments

Activity

People

Assignee:: Davide Salerno

Reporter:: Adriel Paredes

Tester:: Jakub Schwan

QA Contact:: Jakub Schwan

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2022/07/08 2:08 PM

Updated:: 2024/02/12 9:15 AM

Resolved:: 2022/08/23 2:59 PM