Joseph Wheeler created DIRSERVER-2415:
-----------------------------------------
Summary: ApacheDS 2.0.0-AM26 LdapProtocolDecoder DEBUG logging
does not obfuscate new password.
Key: DIRSERVER-2415
URL: https://issues.apache.org/jira/browse/DIRSERVER-2415
Project: Directory ApacheDS
Issue Type: Bug
Components: logs, security
Affects Versions: 2.0.0.AM27, 2.0.0.AM26
Environment: Red Hat Enterprise Linux 8.9
(most likely not OS specific)
Reporter: Joseph Wheeler
DISA Application Server Security Requirements Guide (SRG) V4R1 requirements
V-204785 and V-204727 require an application server to generate a full-text
recording of executed privileged commands. To meet this requirement,
log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG was set in
log4j.properties to capture commands sent to the server. While this fulfills
the requirement, the resulting log data does not obfuscate new passwords when a
command to change a password is sent. The old password appears to be obfuscated
(shows 'oldPassword : null'), but the new password is present and in cleartext.
This violates requirement V-204774 in the same SRG.
Example from the log:
18 Nov 2024 17:59:01,224 DEBUG [NioProcessor-3]
(org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode:143)
- MSG_14002_DECODED_LDAP_MESSAGE (PwdModifyRequest :
UserIdentity : uid=testaccount_20241118,ou=users,o=test
oldPassword : null
newPassword : Cle@rT3XtP@ssw0rd
Issue confirmed on 2.0.0.AM26 and 2.0.0.AM27. Not tested on previous versions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
