Derby
  1. Derby
  2. DERBY-1056

Print a security warning to derby.log and network server console if network server is started with remote connections enabled and security manager, user authentication, and ecrypted userid are not on

    Details

    • Type: Improvement Improvement
    • Status: Open
    • Priority: Major Major
    • Resolution: Unresolved
    • Affects Version/s: 10.1.2.1
    • Fix Version/s: None
    • Component/s: Network Server
    • Labels:
      None
    • Bug behavior facts:
      Security

      Description

      Information and questions from the user list seem to indicate that often users enable remote connections by starting network server with the -h 0.0.0.0 or -h <machinename> option without taking proper security measures. I think it would be worthwhile to print a security warning the console and derby.log if network server is starated without the proper security in place.

      Serious security issues exist when starting network server and allowing remote connections unless users:

      • Run in security manager with permissions restricted as much as possible.
      • Enable user authentication
      • Use encrypted userid/password (Currently only available with IBMJCE)
      • Maybe also print a warning if bootPassword is sent in the connectionAttributes, since this cannot be encrypted. (I had thought there was a jira issue for this but can't find it.)

      An example of such an attack might include creating databases until the host machine disk filled up, deleting all user data etc.

      Related issues:
      DERBY-65
      DERBY-474
      DERBY -528
      DERBY-962

        Activity

        Hide
        Daniel John Debrunner added a comment -

        Should this warning also be generated when the server is listening on an address that is not localhost?

        -h mymachine.mydomain.com

        Show
        Daniel John Debrunner added a comment - Should this warning also be generated when the server is listening on an address that is not localhost? -h mymachine.mydomain.com
        Hide
        Kathey Marsden added a comment -

        Dan pointed out that this needs to print when remote connections are enabled with -h <machinename> as well so changing the title.

        I also thought of one other warning needed if bootPassword is passed in the connection attributes, so added that to the description.

        Also Dan asked me to elaborate about security issues when Network Server is started on localhost. Mostly these arise from shared machines where users do not trust each other, for example the District Attourney and the Public Defender share a machine and have separate databases but these are accessesed through network server. The same risks apply because the users of the machine do not trust each other. The D.A. might set up his database and user authentication for the database and think he is all set, but really the password is being sent CLEAR_TEXT and the public defender might be able to gain access.
        The D.A might even think he could set up a bootPassword, but that has two problems 1) The bootPassword is sent in the connection attributes and so is always sent clear text and 2) once the database is booted the public defender has access.

        Perhaps this type of risk is just obvious, but because we don't start up with connections restricted in anyway as they might be with other database servers, users may not realize the risk.

        Some of these issues were discussed in this thread:

        http://www.nabble.com/DRDA-Password-Encryption-%28SECMEC_EUSRIDPWD-and-SECMEC_USRENCPWD%29-t80296.html#a24266

        At that time David suggested making a top level Client/Server Security Issue which is not a bad idea, but we actually have not had much luck executing on other such important top level issues as DERBY-310 and DERBY-209. Since this one is security it might gain more attention. I don't know.

        Show
        Kathey Marsden added a comment - Dan pointed out that this needs to print when remote connections are enabled with -h <machinename> as well so changing the title. I also thought of one other warning needed if bootPassword is passed in the connection attributes, so added that to the description. Also Dan asked me to elaborate about security issues when Network Server is started on localhost. Mostly these arise from shared machines where users do not trust each other, for example the District Attourney and the Public Defender share a machine and have separate databases but these are accessesed through network server. The same risks apply because the users of the machine do not trust each other. The D.A. might set up his database and user authentication for the database and think he is all set, but really the password is being sent CLEAR_TEXT and the public defender might be able to gain access. The D.A might even think he could set up a bootPassword, but that has two problems 1) The bootPassword is sent in the connection attributes and so is always sent clear text and 2) once the database is booted the public defender has access. Perhaps this type of risk is just obvious, but because we don't start up with connections restricted in anyway as they might be with other database servers, users may not realize the risk. Some of these issues were discussed in this thread: http://www.nabble.com/DRDA-Password-Encryption-%28SECMEC_EUSRIDPWD-and-SECMEC_USRENCPWD%29-t80296.html#a24266 At that time David suggested making a top level Client/Server Security Issue which is not a bad idea, but we actually have not had much luck executing on other such important top level issues as DERBY-310 and DERBY-209 . Since this one is security it might gain more attention. I don't know.
        Hide
        Daniel John Debrunner added a comment -

        Interesting scenario, the DA vs. the Public Defender. There might be issues, but I think for the ones you state the public defender would require root access to the machine to snoop the loopback driver. Once an untrusted person has root access then the derby network server is the least of their worries.

        Show
        Daniel John Debrunner added a comment - Interesting scenario, the DA vs. the Public Defender. There might be issues, but I think for the ones you state the public defender would require root access to the machine to snoop the loopback driver. Once an untrusted person has root access then the derby network server is the least of their worries.
        Hide
        Kathey Marsden added a comment -

        Took out part about security issues related to starting on localhost in description per Dan's comments.

        Show
        Kathey Marsden added a comment - Took out part about security issues related to starting on localhost in description per Dan's comments.
        Hide
        Daniel John Debrunner added a comment -

        Just to be clear, I wasn't suggesting that security issues related to localhost be removed from this bug. I was just pointing out for the two issues Kathey raised it dodn't seem to me that there was a problem. I think the use of the network server in a single but shaared machine is an interesting scenario to understand. It seems like at least the warning should be issued if a database with no authentication is accessible through the network server, regardless of local or remote host.

        Show
        Daniel John Debrunner added a comment - Just to be clear, I wasn't suggesting that security issues related to localhost be removed from this bug. I was just pointing out for the two issues Kathey raised it dodn't seem to me that there was a problem. I think the use of the network server in a single but shaared machine is an interesting scenario to understand. It seems like at least the warning should be issued if a database with no authentication is accessible through the network server, regardless of local or remote host.
        Hide
        Kathey Marsden added a comment -

        That sounds good as at least that would be a clear issue. I think also as you say it would be good to explore this scenario more fully to see if security manager would also be needed in such a scenario. Enabling such a warning would make DERBY-474 all the more important as users are bound to have questions once the warning starts showing up.

        Show
        Kathey Marsden added a comment - That sounds good as at least that would be a clear issue. I think also as you say it would be good to explore this scenario more fully to see if security manager would also be needed in such a scenario. Enabling such a warning would make DERBY-474 all the more important as users are bound to have questions once the warning starts showing up.
        Hide
        Kathey Marsden added a comment -

        Changing fix version to unknown as I do not plan to fix this personally for 10.2. I do think however that there is not a good awareness in the user community of the security risks associated with starting Network server with -h 0.0.0.0 to allow remote connections and not enabling authentication, running under security manager and using encrypted userid/password (not even available with most JVMS.) I do hope someone else will pick this issue up and that DERBY-528 will make it into 10.2 to help mitigate these security issues.

        Show
        Kathey Marsden added a comment - Changing fix version to unknown as I do not plan to fix this personally for 10.2. I do think however that there is not a good awareness in the user community of the security risks associated with starting Network server with -h 0.0.0.0 to allow remote connections and not enabling authentication, running under security manager and using encrypted userid/password (not even available with most JVMS.) I do hope someone else will pick this issue up and that DERBY-528 will make it into 10.2 to help mitigate these security issues.

          People

          • Assignee:
            Unassigned
            Reporter:
            Kathey Marsden
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:

              Development