Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-16509

CLONE - Encrypted passwords showing as clear text in JMX console settings

    Details

    • Type: Service Pack Request
    • Status: Closed (View Workflow)
    • Resolution: Fixed
    • Affects Version/s: 4.2.6
    • Fix Version/s: 4.2.7
    • Component/s: JMX
    • Labels:

      Description

      When using encrypted settings, I've been able to find in MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes, the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted.

      Also, the 'cryptodoc.jce.keystore.password' entry shows the keystore password in the clear as well while the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      A partner believes this to be a security hole, as anyone with controlRole or monitorRole access will be able to see the passwords for the keystore.

      I was able to reproduce on 5.0.2.5.

      Steps to reproduce:

      1. Install 5.0.2.5
      2. In alfresco-encrypted.properties add these properties:

      cryptodoc.jce.keystore.path=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.keystore.password=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.aliases=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.passwords=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)

      3. In alfresco-global.properties add these properties:

      cryptodoc.jce.keystore.path=${cryptodoc.jce.keystore.path.enc}
      cryptodoc.jce.keystore.password=${cryptodoc.jce.keystore.password.enc}
      cryptodoc.jce.key.aliases=${cryptodoc.jce.key.aliases.enc}
      cryptodoc.jce.key.passwords=${cryptodoc.jce.key.passwords.enc}

      4. Start Alfresco.

      5. Attach to the JMX console using jconsole.

      6. Have a look at MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes -> 'cryptodoc.jce.key.passwords' entry

      7. Have a look at MBeans under Alfreso -> Global Properties -> Attributes -> ryptodoc.jce.keystore.password

      Observed:

      In Step #6 the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted even though they are encrypted in the properties file.

      In Step #7 the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      Expected:

      In Step #6 the passwords should not be shown as clear text but rather the property as shown in Step #7.

        Attachments

        1. LdapPasswordJconsole.png
          LdapPasswordJconsole.png
          283 kB
        2. LdapShowPassword.png
          LdapShowPassword.png
          249 kB
        3. RunTestAuthentication.png
          RunTestAuthentication.png
          336 kB
        4. RunTestLdap.png
          RunTestLdap.png
          330 kB
        5. ShowPassword.png
          ShowPassword.png
          506 kB
        6. V4.2-installer.txt
          10 kB

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  hseritt Harlin Seritt
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  11 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 3 days, 1 hour, 10 minutes
                    3d 1h 10m

                      Structure Helper Panel