[OPENAM-13890] Install.log logs AMLDAPUSERPASSWD for unprivileged demo user in plaintext - ForgeRock JIRA

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 14.1.1, 5.5.1, 6.0.0.5
Fix Version/s: 13.5.3, 14.1.2, 6.0.1, 5.5.2, 7.0.0
Component/s: install
Labels:
- EDISON

Rank:
1|hzvycf:

Sprint:
AM Sustaining Sprint 57, AM Sustaining Sprint 73
Story Points:
2
Needs backport:

No

Support Ticket IDs:

Verified Version/s:

5.5.2
Needs QA verification:

Yes
Functional tests:

No
Are the reproduction steps defined?:

Yes and I used the same an in the description

Description

Bug description

During installation, AM logs the "demo" user password (AMLDAPUSERPASSWD) in ~/openam/install.log in plaintext. It does this even when an external user store is configured.

How to reproduce the issue

Install AM (with or without an external user store)
Search ~/openam/install.log for AMLDAPUSERPASSWD

Expected behaviour

Using embedded user store, AMLDAPUSERPASSWD should not be logged in plaintext. When using an external user store, AMLDAPUSERPASSWD shouldn't be logged at all.

Current behaviour

AMLDAPUSERPASSWD is always logged and in plaintext

Work around

None

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

Screen Shot 2020-04-07 at 9.55.19 AM.png
194 kB
2020-04-06 9:57 PM

Activity

People

Assignee:: Sachiko Wallace

Reporter:: Aaron Haskins

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2018-10-30 4:17 PM

Updated:: 2020-04-06 10:00 PM

Resolved:: 2020-04-06 10:00 PM