ZooKeeper
  1. ZooKeeper
  2. ZOOKEEPER-1917

Apache Zookeeper logs cleartext admin passwords

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: 3.4.7, 3.5.1, 3.6.0
    • Component/s: None
    • Labels:
      None

      Description

      Check the CVE entry for a description:

      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0085

      1. ZOOKEEPER-1917.patch
        1 kB
        Michi Mutsuzaki
      2. ZOOKEEPER-1917.patch
        1 kB
        Michi Mutsuzaki
      3. ZOOKEEPER-1917.patch
        0.9 kB
        Flavio Junqueira

        Activity

        Hide
        Flavio Junqueira added a comment -

        This is what I get when using this setAcl command with the cli:

        setAcl /test-acl digest:super:/qrRr7/v21dMo0iDVdd2lttJEyw=:cdrwa
        

        First, what goes into the transaction log and I extract with logformatter:

        23/04/14 11:28:26 BST session 0x1458e0f5a130001 cxid 0xd zxid 0x1f setACL '/test-acl,v{s{31,s{'digest,'super:/qrRr7/v21dMo0iDVdd2lttJEyw=}}},1
        

        I also get this log message, but the encoding seems to be incorrect:

        2014-04-23 11:28:26,120 [myid:] - DEBUG [ProcessThread(sid:0 
        cport:-1)::PrepRequestProcessor@305] - Client credentials: ['ip,'127.0.0.1
        , 'digest,'super:Aayiuo6ORq4pteRsUdo6sM7mmf4=
        ]
        
        Show
        Flavio Junqueira added a comment - This is what I get when using this setAcl command with the cli: setAcl /test-acl digest:super:/qrRr7/v21dMo0iDVdd2lttJEyw=:cdrwa First, what goes into the transaction log and I extract with logformatter: 23/04/14 11:28:26 BST session 0x1458e0f5a130001 cxid 0xd zxid 0x1f setACL '/test-acl,v{s{31,s{'digest,'super:/qrRr7/v21dMo0iDVdd2lttJEyw=}}},1 I also get this log message, but the encoding seems to be incorrect: 2014-04-23 11:28:26,120 [myid:] - DEBUG [ProcessThread(sid:0 cport:-1)::PrepRequestProcessor@305] - Client credentials: ['ip,'127.0.0.1 , 'digest,'super:Aayiuo6ORq4pteRsUdo6sM7mmf4= ]
        Hide
        Andrew Purtell added a comment -

        I took a stab at optionally encrypting snapshots and txn logs at rest in ZOOKEEPER-1688. The patch on that issue worked with 3.4 in the lab. I would say it's at the 'discussion starter' phase.

        Show
        Andrew Purtell added a comment - I took a stab at optionally encrypting snapshots and txn logs at rest in ZOOKEEPER-1688 . The patch on that issue worked with 3.4 in the lab. I would say it's at the 'discussion starter' phase.
        Hide
        Flavio Junqueira added a comment -

        Thanks for pointing it out, Andrew Purtell. It sounds like a great feature to have. We might still want to try a fix without full encryption, though.

        Show
        Flavio Junqueira added a comment - Thanks for pointing it out, Andrew Purtell . It sounds like a great feature to have. We might still want to try a fix without full encryption, though.
        Hide
        Michi Mutsuzaki added a comment -

        I asked for more details on the original bug and got an email from Red Hat Security Response Team.

        https://bugzilla.redhat.com/show_bug.cgi?id=1067265

        The original bug is not about ACL password. Some applications use ZooKeeper to store their passwords (like in a znode "/my/password"), and the transaction log files are not encrypted, so if you have read permission, you can see the password stored in the znode. Their fix is to encrypt the password before storing it in ZooKeeper.

        Show
        Michi Mutsuzaki added a comment - I asked for more details on the original bug and got an email from Red Hat Security Response Team. https://bugzilla.redhat.com/show_bug.cgi?id=1067265 The original bug is not about ACL password. Some applications use ZooKeeper to store their passwords (like in a znode "/my/password"), and the transaction log files are not encrypted, so if you have read permission, you can see the password stored in the znode. Their fix is to encrypt the password before storing it in ZooKeeper.
        Hide
        Flavio Junqueira added a comment -

        That's pretty weird... So if someone stores their social security number or credit card number then we should request a CVE entry is created?

        Putting the reason behind the report aside, it sounds like a good idea not to store the password hash as is. Andrew Purtell's solution is definitely an option, but it seems to be more appropriate if you're concerned about sensitive data being exposed. If all you're trying to do is to avoid having passwords exposed, then perhaps that's overkill and we could simply find a way to avoid having it in the logs.

        In any case, I'm just trying to figure out what our story is, and we should recommend to anyone concerned about it. What do you think?

        Show
        Flavio Junqueira added a comment - That's pretty weird... So if someone stores their social security number or credit card number then we should request a CVE entry is created? Putting the reason behind the report aside, it sounds like a good idea not to store the password hash as is. Andrew Purtell 's solution is definitely an option, but it seems to be more appropriate if you're concerned about sensitive data being exposed. If all you're trying to do is to avoid having passwords exposed, then perhaps that's overkill and we could simply find a way to avoid having it in the logs. In any case, I'm just trying to figure out what our story is, and we should recommend to anyone concerned about it. What do you think?
        Hide
        Michi Mutsuzaki added a comment -

        Yes, it is pretty weird. I guess we can set the expectation by documenting that transaction logs and snapshots are not encrypted, and it is the user's responsibility to secure these files. I am -0 on ZOOKEEPER-1688. I don't think we should be dealing with on-disk encryption ourselves. The user can easily manage on-disk encryption outside of ZooKeeper.

        Show
        Michi Mutsuzaki added a comment - Yes, it is pretty weird. I guess we can set the expectation by documenting that transaction logs and snapshots are not encrypted, and it is the user's responsibility to secure these files. I am -0 on ZOOKEEPER-1688 . I don't think we should be dealing with on-disk encryption ourselves. The user can easily manage on-disk encryption outside of ZooKeeper.
        Hide
        Flavio Junqueira added a comment -

        Added a note to the administrator page. Could anyone have a look and see if this is ok?

        Show
        Flavio Junqueira added a comment - Added a note to the administrator page. Could anyone have a look and see if this is ok?
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12667492/ZOOKEEPER-1917.patch
        against trunk revision 1621313.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12667492/ZOOKEEPER-1917.patch against trunk revision 1621313. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2320//console This message is automatically generated.
        Hide
        Rakesh R added a comment -

        +1 lgtm

        Show
        Rakesh R added a comment - +1 lgtm
        Hide
        Michi Mutsuzaki added a comment -

        +1 I'll check this in.

        Show
        Michi Mutsuzaki added a comment - +1 I'll check this in.
        Show
        Michi Mutsuzaki added a comment - trunk: http://svn.apache.org/viewvc?view=revision&revision=1628123 branch-3.4: http://svn.apache.org/viewvc?view=revision&revision=1628124
        Show
        Michi Mutsuzaki added a comment - branch-3.5: http://svn.apache.org/viewvc?view=revision&revision=1628125
        Hide
        Hudson added a comment -

        FAILURE: Integrated in ZooKeeper-trunk #2453 (See https://builds.apache.org/job/ZooKeeper-trunk/2453/)
        ZOOKEEPER-1917 Apache Zookeeper logs cleartext admin passwords (fpj via michim) (michim: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1628123)

        • /zookeeper/trunk/CHANGES.txt
        • /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
        Show
        Hudson added a comment - FAILURE: Integrated in ZooKeeper-trunk #2453 (See https://builds.apache.org/job/ZooKeeper-trunk/2453/ ) ZOOKEEPER-1917 Apache Zookeeper logs cleartext admin passwords (fpj via michim) (michim: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1628123 ) /zookeeper/trunk/CHANGES.txt /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
        Hide
        Michi Mutsuzaki added a comment -

        It looks like this patch broke the build. Sorry I should have verified the patch locally before checking in...

        https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk/2453/console

        [exec] validate-xdocs:
        [exec] /home/jenkins/jenkins-slave/workspace/ZooKeeper-trunk/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml:1687:15: The content of element type "section" must match "(sectioninfo?,(title,subtitle?,titleabbrev?),(((itemizedlist|orderedlist|variablelist|note|literallayout|programlisting|para|blockquote|mediaobject|informaltable|example|figure|table|sidebar|abstract|authorblurb|epigraph),section*)|section))".
        [exec]
        [exec] BUILD FAILED
        [exec] /home/jenkins/tools/forrest/latest/main/targets/validate.xml:135: /home/jenkins/jenkins-slave/workspace/ZooKeeper-trunk/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml is not a valid XML document.

        Show
        Michi Mutsuzaki added a comment - It looks like this patch broke the build. Sorry I should have verified the patch locally before checking in... https://builds.apache.org/view/S-Z/view/ZooKeeper/job/ZooKeeper-trunk/2453/console [exec] validate-xdocs: [exec] /home/jenkins/jenkins-slave/workspace/ZooKeeper-trunk/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml:1687:15: The content of element type "section" must match "(sectioninfo?,(title,subtitle?,titleabbrev?),(((itemizedlist|orderedlist|variablelist|note|literallayout|programlisting|para|blockquote|mediaobject|informaltable|example|figure|table|sidebar|abstract|authorblurb|epigraph) ,section*)|section ))". [exec] [exec] BUILD FAILED [exec] /home/jenkins/tools/forrest/latest/main/targets/validate.xml:135: /home/jenkins/jenkins-slave/workspace/ZooKeeper-trunk/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml is not a valid XML document.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12671992/ZOOKEEPER-1917.patch
        against trunk revision 1628224.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        +1 release audit. The applied patch does not increase the total number of release audit warnings.

        -1 core tests. The patch failed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//testReport/
        Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12671992/ZOOKEEPER-1917.patch against trunk revision 1628224. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. +1 release audit. The applied patch does not increase the total number of release audit warnings. -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//testReport/ Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2358//console This message is automatically generated.
        Hide
        Patrick Hunt added a comment -

        I don't believe we should say "(which is fairly uncommon)" given we don't really know. It's up to users what they put into zk, uncommon or common.

        Show
        Patrick Hunt added a comment - I don't believe we should say "(which is fairly uncommon)" given we don't really know. It's up to users what they put into zk, uncommon or common.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12671992/ZOOKEEPER-1917.patch
        against trunk revision 1630026.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 0 warnings).

        +1 core tests. The patch passed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//testReport/
        Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
        Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12671992/ZOOKEEPER-1917.patch against trunk revision 1630026. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 0 warnings). +1 core tests. The patch passed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2385//console This message is automatically generated.
        Hide
        Michi Mutsuzaki added a comment -

        Addressed Pat's comment.

        Show
        Michi Mutsuzaki added a comment - Addressed Pat's comment.
        Hide
        Hadoop QA added a comment -

        -1 overall. Here are the results of testing the latest attachment
        http://issues.apache.org/jira/secure/attachment/12674453/ZOOKEEPER-1917.patch
        against trunk revision 1630026.

        +1 @author. The patch does not contain any @author tags.

        -1 tests included. The patch doesn't appear to include any new or modified tests.
        Please justify why no new tests are needed for this patch.
        Also please list what manual steps were performed to verify this patch.

        +1 javadoc. The javadoc tool did not generate any warning messages.

        +1 javac. The applied patch does not increase the total number of javac compiler warnings.

        +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings.

        -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 0 warnings).

        -1 core tests. The patch failed core unit tests.

        +1 contrib tests. The patch passed contrib unit tests.

        Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//testReport/
        Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt
        Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html
        Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//console

        This message is automatically generated.

        Show
        Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12674453/ZOOKEEPER-1917.patch against trunk revision 1630026. +1 @author. The patch does not contain any @author tags. -1 tests included. The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch. +1 javadoc. The javadoc tool did not generate any warning messages. +1 javac. The applied patch does not increase the total number of javac compiler warnings. +1 findbugs. The patch does not introduce any new Findbugs (version 2.0.3) warnings. -1 release audit. The applied patch generated 2 release audit warnings (more than the trunk's current 0 warnings). -1 core tests. The patch failed core unit tests. +1 contrib tests. The patch passed contrib unit tests. Test results: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//testReport/ Release audit warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//artifact/trunk/patchprocess/patchReleaseAuditProblems.txt Findbugs warnings: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//artifact/trunk/build/test/findbugs/newPatchFindbugsWarnings.html Console output: https://builds.apache.org/job/PreCommit-ZOOKEEPER-Build/2388//console This message is automatically generated.
        Show
        Rakesh R added a comment - Thanks Michi Mutsuzaki , committed the changes. Committed to trunk : http://svn.apache.org/viewvc?view=revision&revision=1631277 Committed to br3.4 : http://svn.apache.org/viewvc?view=revision&revision=1631279 Committed to br3.5 : http://svn.apache.org/viewvc?view=revision&revision=1631278
        Hide
        Hudson added a comment -

        SUCCESS: Integrated in ZooKeeper-trunk #2468 (See https://builds.apache.org/job/ZooKeeper-trunk/2468/)
        ZOOKEEPER-1917 Apache Zookeeper logs cleartext admin passwords (michim via rakeshr) (rakeshr: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1631277)

        • /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml
        Show
        Hudson added a comment - SUCCESS: Integrated in ZooKeeper-trunk #2468 (See https://builds.apache.org/job/ZooKeeper-trunk/2468/ ) ZOOKEEPER-1917 Apache Zookeeper logs cleartext admin passwords (michim via rakeshr) (rakeshr: http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1631277 ) /zookeeper/trunk/src/docs/src/documentation/content/xdocs/zookeeperAdmin.xml

          People

          • Assignee:
            Flavio Junqueira
            Reporter:
            Flavio Junqueira
          • Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development