aws access key stored in plaintext in DXUIM TIBCO CABI (JasperServer)
search cancel

aws access key stored in plaintext in DXUIM TIBCO CABI (JasperServer)

book

Article ID: 278766

calendar_today

Updated On: 02-15-2024

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Security scan may warn about a plaintext aws access key stored in the TIBCO CABI (JasperServer) resource:  aws.properties

The file is usually present in the following files: 

 c:\Program Files (x86)\Nimsoft\c\buildomatic\conf_source\iePro\classes\aws.properties

C:\Program Files (x86)\Nimsoft\c\buildomatic\install_resources\war\jasperserver-pro\WEB-INF\classes\aws.properties

C:\Program Files (x86)\Nimsoft\probes\service\wasp\webapps\cabijs\WEB-INF\classes\aws.properties

 

# Copyright (C) 2005 - 2020 TIBCO Software Inc. All rights reserved.
# http://www.jaspersoft.com.
#
# Unless you have purchased a commercial license agreement from Jaspersoft,
# the following license terms apply:
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU Affero General Public License as
# published by the Free Software Foundation, either version 3 of the
# License, or (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU Affero General Public License for more details.
#
# You should have received a copy of the GNU Affero General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#

aws.accessKey=####################
aws.secretKey=###/##################################

aws.queuesuffix=_aws3
aws.topicsuffix=_aws3

aws.nevadoTopicName=##########
aws.nevadoQueueName=##########


aws.clientID=###########
aws.threadCount=1

 

Are these files vulnerable? 

Can attackers use this key from these files? 

Environment

DX UIM 20.4.x / DX UIM 23.4

Cause

TIBCO considers this not vulnerable

Resolution

TIBCO has confirmed that the key present in the aws.properties file is a dummy key and it is not a real aws access key. 

Hence this security warning can be safely ignored as it does not represent a threat. The key is only an example. 

 

Additional Information

Note: The files itself, or the example keys, can be safely deleted from the paths indicated as they are not used.