Uploaded image for project: 'WildFly Core'
  1. WildFly Core
  2. WFCORE-885

World readable audit.log file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 2.0.0.Beta6
    • 2.0.0.Beta2
    • Management
    • None
    • Hide

      1) Start server and execute following CLI commands:

      ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)'
./jboss-cli.sh -c ":shutdown"

      2) Check output of command: 

      ls -l ${SERVER_HOME}/standalone/data/audit-log.log
      Show
      1) Start server and execute following CLI commands: ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)' ./jboss-cli.sh -c ":shutdown" 2) Check output of command: ls -l ${SERVER_HOME}/standalone/data/audit-log.log

      Server logs sensitive information into a world readable audit.log file. This information could be used by a local attacker to gain otherwise protected information about user sessions etc.

      This issue was originally reported as CVE in https://bugzilla.redhat.com/show_bug.cgi?id=1063642. EAP 6.x branches are fixed but same issue occurs in EAP 7 again.

              istudens@redhat.com Ivo Studensky
              olukas Ondrej Lukas (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: