Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-885

World readable audit.log file

    XMLWordPrintable

Details

    • Bug
    • Status: Resolved (View Workflow)
    • Blocker
    • Resolution: Done
    • 2.0.0.Beta2
    • 2.0.0.Beta6
    • Management
    • None
    • Hide

      1) Start server and execute following CLI commands:

      ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)'
      ./jboss-cli.sh -c ":shutdown"
      

      2) Check output of command:

      ls -l ${SERVER_HOME}/standalone/data/audit-log.log
      
      Show
      1) Start server and execute following CLI commands: ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)' ./jboss-cli.sh -c ":shutdown" 2) Check output of command: ls -l ${SERVER_HOME}/standalone/data/audit-log.log

    Description

      Server logs sensitive information into a world readable audit.log file. This information could be used by a local attacker to gain otherwise protected information about user sessions etc.

      This issue was originally reported as CVE in https://bugzilla.redhat.com/show_bug.cgi?id=1063642. EAP 6.x branches are fixed but same issue occurs in EAP 7 again.

      Attachments

        Issue Links

          Activity

            People

              istudens@redhat.com Ivo Studensky
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: