Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-721

World readable audit.log file

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Blocker Blocker
    • 7.0.0.DR10
    • 7.0.0.DR8
    • Security
    • None
    • Hide

      1) Start server and execute following CLI commands:

      ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)'
./jboss-cli.sh -c ":shutdown"

      2) Check output of command: 

      ls -l ${SERVER_HOME}/standalone/data/audit-log.log
      Show
      1) Start server and execute following CLI commands: ./jboss-cli.sh -c '/core-service=management/access=audit/logger=audit-log:write-attribute(name=enabled, value=true)' ./jboss-cli.sh -c ":shutdown" 2) Check output of command: ls -l ${SERVER_HOME}/standalone/data/audit-log.log

      Server logs sensitive information into a world readable audit.log file. This information could be used by a local attacker to gain otherwise protected information about user sessions etc.

      This issue was originally reported as CVE in https://bugzilla.redhat.com/show_bug.cgi?id=1063642. EAP 6.x branches are fixed but same issue occurs in EAP 7 again.

            istudens@redhat.com Ivo Studensky
            olukas Ondrej Lukas (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated:
              Resolved: