Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-885

World readable audit.log file

    XMLWordPrintable

Details

    • Bug
    • Resolution: Done
    • Blocker
    • 2.0.0.Beta6
    • 2.0.0.Beta2
    • Management
    • None
    • Hide

      1) Start server and execute following CLI commands:

      ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)'
./jboss-cli.sh -c ":shutdown"

      2) Check output of command: 

      ls -l ${SERVER_HOME}/standalone/data/audit-log.log
      Show
      1) Start server and execute following CLI commands: ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)' ./jboss-cli.sh -c ":shutdown" 2) Check output of command: ls -l ${SERVER_HOME}/standalone/data/audit-log.log

    Description

      Server logs sensitive information into a world readable audit.log file. This information could be used by a local attacker to gain otherwise protected information about user sessions etc.

      This issue was originally reported as CVE in https://bugzilla.redhat.com/show_bug.cgi?id=1063642. EAP 6.x branches are fixed but same issue occurs in EAP 7 again.

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. JBEAP-721 World readable audit.log file

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              istudens@redhat.com Ivo Studensky
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: