sha2encoder: plain text password logged

book

Article ID: 207862

calendar_today

Updated On:

Products

CA Application Performance Management (APM / Wily / Introscope)

Issue/Introduction

 
 

There is a security problem in the SHA2encoder: The password is logged in plain text in /product/sha2/configuration/*.log.

Example contents (for dummy password "xx":): 

     !SESSION 2020-11-10 12:35:05.442 -----------------------------------------------
     eclipse.buildId=M20060629-1905
     java.version=1.8.0_112
     java.vendor=Oracle Corporation
     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx
     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx

     !ENTRY org.eclipse.update.configurator 4 0 2020-11-10 12:35:07.384
     !MESSAGE Could not install bundle plugins/commons-codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from:         [email protected]/org.apache.commons.codec_1.10.jar

 

 

Cause

 
 

Root cause is that the org.apache.commons.codec bundle is present twice which causes an OSGI error and causes a log to be generated.

The password cannot be obscured but properties can be changed so that any OSGI errors are flagged in the console when running the password encoder script.

Environment

Release : 10.7.0

Component : Introscope

Resolution

 
 
  • Steps to enable the console logging in SHA2Encoder.sh

1) Open SHA2Encoder.sh and change the -Declipse.consoleLog= property from false to true:

     "$JAVA_HOME/bin/java" -Declipse.consoleLog=true -jar "$installDir/launcher.jar" -configuration "$installDir/product/sha2/configuration" -install "$installDir/product/enterprisemanager" -application         com.wily.introscope.eclipseapp.SHA2Encoder $1

 

With this configuration option, any OSGi errors will be written to the console as shown below:

     [[email protected] tools]# ./SHA2Encoder.sh help

     Debug options:

    file:/tmp/.options not found

     !SESSION 2020-11-25 11:33:07.666 -----------------------------------------------

     eclipse.buildId=M20060629-1905

     java.version=1.8.0_112

     java.vendor=Oracle Corporation

     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_GB

     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help

     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help

 

     !ENTRY org.eclipse.update.configurator 4 0 2020-11-25 11:33:08.730

     !MESSAGE Could not install bundle plugins/org.apache.commons.codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: [email protected]/commons-codec_1.10.jar

     log4j:WARN No appenders could be found for logger (org.springframework.osgi.extender.internal.activator.ContextLoaderListener).

     log4j:WARN Please initialize the log4j system properly.

     log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.

     help:2a.100000.dhoB3Iq6x6dlVkTMQu4L9g==.rU6L/bPwLjvq9JS79MFBWg==

 

  • Steps to remove duplicate bundle:

1) Stop the Enterprise Manager

2) Go to <EM_HOME>/product/enterprise/plugins

3) Locate the file commons-codec_1.10.jar and remove from the folder. 

4) Clear the OSGi cache using the instructions here

5) Restart the Enterprise Manager

 

With this change, the log should not be created in /product/sha2/configuration/*.log so the password will not be exposed

 

A defect is raised to address the issue with the duplicate bundles and would be included in works to deliver 10.7 SP4