[MNT-16509] CLONE - Encrypted passwords showing as clear text in JMX console settings - Alfresco JIRA

Details

Type: Service Pack Request
Status: Closed (View Workflow)
Resolution: Fixed
Affects Version/s: 4.2.6
Fix Version/s: 4.2.7
Component/s: JMX
Labels:
- triaged

Bug Priority:

Category 2
Security Issue:

Yes
ACT Numbers:

00589482
Build Location:
https://releases.alfresco.com/Enterprise-4.2/4.2.7/build-00007

Description

When using encrypted settings, I've been able to find in MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes, the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted.

Also, the 'cryptodoc.jce.keystore.password' entry shows the keystore password in the clear as well while the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

A partner believes this to be a security hole, as anyone with controlRole or monitorRole access will be able to see the passwords for the keystore.

I was able to reproduce on 5.0.2.5.

Steps to reproduce:

1. Install 5.0.2.5
2. In alfresco-encrypted.properties add these properties:

cryptodoc.jce.keystore.path=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.keystore.password=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.key.aliases=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
cryptodoc.jce.key.passwords=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)

3. In alfresco-global.properties add these properties:

cryptodoc.jce.keystore.path=${cryptodoc.jce.keystore.path.enc}
cryptodoc.jce.keystore.password=${cryptodoc.jce.keystore.password.enc}
cryptodoc.jce.key.aliases=${cryptodoc.jce.key.aliases.enc}
cryptodoc.jce.key.passwords=${cryptodoc.jce.key.passwords.enc}

4. Start Alfresco.

5. Attach to the JMX console using jconsole.

6. Have a look at MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes -> 'cryptodoc.jce.key.passwords' entry

7. Have a look at MBeans under Alfreso -> Global Properties -> Attributes -> ryptodoc.jce.keystore.password

Observed:

In Step #6 the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted even though they are encrypted in the properties file.

In Step #7 the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

Expected:

In Step #6 the passwords should not be shown as clear text but rather the property as shown in Step #7.

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

LdapPasswordJconsole.png
283 kB
07-Dec-16 09:07 AM
LdapShowPassword.png
249 kB
07-Dec-16 09:07 AM
RunTestAuthentication.png
336 kB
07-Dec-16 09:07 AM
RunTestLdap.png
330 kB
07-Dec-16 09:07 AM
ShowPassword.png
506 kB
07-Dec-16 09:07 AM
V4.2-installer.txt
10 kB
06-Dec-16 01:51 PM

Issue Links

is clone of

MNT-15494 Encrypted passwords showing as clear text in JMX console settings

Closed

relates to

MNT-17233 Alfresco linux installer not working on ubuntu

Closed

Structure

Activity

People

Assignee:

Closed Bugs

Reporter:

Harlin Seritt

Votes:

0 Vote for this issue

Watchers:

11 Start watching this issue

Dates

Created:

06-Jul-16 01:06 AM

Updated:

16-Feb-17 03:54 PM

Resolved:

08-Dec-16 10:13 AM

Time Tracking

Estimated:

Not Specified

Remaining:

Logged:

3d 1h 10m

Details

Description

Attachments

Attachments

Issue Links

Structure

Activity

People

Dates

Time Tracking

Structure Helper Panel