Spring Cloud Services Config Server logs CredHub credentials at the debug level
Article ID: 298344
Updated On:
Products
VMware Tanzu Application Service for VMs
Issue/Introduction
Spring Cloud Services (SCS) Config Server logs or captures CredHub requests at the debug level. This results in secure CredHub credentials and information being captured in the logs. This impacts all versions of SCS v3.1.x.
To confirm you are hitting this issue, check the logs of your Config Server by running this command:
To confirm you are hitting this issue, check the logs of your Config Server by running this command:
cf logs config-server --recent | grep 'CredHubRequest'
------------------------------------------------------------------------------------------
2021-11-08T15:54:21.57-0500 [APP/PROC/WEB/2] OUT [http-nio-8080-exec-6] DEBUG o.s.web.client.RestTemplate.debug - Writing [CredHubRequest{overwrite=null, name=SimpleCredentialName{segments=[c/p.spring-cloud-services-scs-service-broker/config-server-19a02e06-a12a-4de0-9db6-6eb642722aa2, AccountAPI, cloud, master, SecureResources]}, credentialType=json, additionalPermissions=[], details={SecureResources__~__CTE__~__AccountAPI__~__ADCredentials__~__sccs-configuration-manager-rewrite.rewriteDate=2021-11-08T15:54:14.928-05:00, SecureResources__~__CTE__~__AccountAPI__~__Okta__~__okta.client.clientId=XXX, SecureResources__~__CTE__~__AccountAPI__~__ADCredentials__~__AD.user=XXX, SecureResources__~__CTE__~__AccountAPI__~__AccountAPIQueue__~__AccountAPI.USERID=XXX, SecureResources__~__CTE__~__AccountAPI__~__Okta__~__okta.client.clientSecret=XXXXXXX, SecureResources__~__CTE__~__AccountAPI__~__AccountAPIQueue__~__AccountAPI.PASSWORD=XXXXX, SecureResources__~__CTE__~__AccountAPI__~__Okta__~__sccs-configuration-manager-rewrite.rewriteDate=2021-11-08T15:54:14.928-05:00, Environment
Product Version: 2.11
Resolution
To work around this issue, override the env variable on the Config Server.
1. Go to your Config Server:
2. Override the env variable on the Config Server with this command:
1. Go to your Config Server:
cf target -o p-spring-cloud-service -s $(cf service config-server-instance-name --guid)
2. Override the env variable on the Config Server with this command:
cf set-env config-server logging.level.org.springframework.web.client.RestTemplate INFO
3. Restart the Config Server with the following command for this fix to take effect:
cf restart config-server
Note: A fix for this issue is planned to be released in SCS v3.1.24.
Feedback
Yes
No
Powered by
