Bug 1210930

Summary: VUL-1: SUMA: JWT token disclosure in log files
Product: [Novell Products] SUSE Security Incidents Reporter: Paolo Perego <paolo.perego>
Component: IncidentsAssignee: Paolo Perego <paolo.perego>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: artem.shiliaev, jgonzalez, marina.latini, mc, paolo.perego, rmateus, rosuna
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://github.com/SUSE/spacewalk/issues/22230
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Bug Depends on:    
Bug Blocks: 1209434    

Description Paolo Perego 2023-04-27 16:05:08 UTC 
The DownloadController.java class logs several times, using the info() call, the JWT token.

This is risky, because a user having access to log files (and since they are readable by anyone on SUMA server), can collect JWT tokens from users on the system.

If the JWT token is an important information, for troubleshooting in case of errors, the suggestion is to log this kind of messages on a error log file, readable only by root.

During the analysis of this issue, even talking with the SUMA team, they make me aware that JWT tokens are on the query-string, so there is no lack of confidentiality. However, since the transport is protected by HTTPS, query-string parameters are not logged on access.log files.

This is an instance of CVE-2023-22644 (bsc#1209434)
Comment 2 Paolo Perego 2023-11-15 16:34:40 UTC 
Fixed in 4.3.8
Comment 3 Paolo Perego 2023-11-15 16:37:58 UTC 
Waiting for final confirmation from development team
Comment 4 Michael Calmer 2023-11-17 09:34:55 UTC 
We have to debug a lot with these tokens. Also for an admin it can be critical to identify the token. But we do not need the full token in the logs.

I change this to only print the last 20 characters (out of > 200) in the logs.
I hope this is sufficient.
Comment 9 Michael Calmer 2023-11-21 09:17:24 UTC 
Paolo: This will be fixed in 4.3.10 and the next Uyuni version (2023.11).
Code is merged in all active branches.

Assigning the bug to you for tracking.
Comment 13 Maintenance Automation 2023-12-13 12:30:10 UTC 
SUSE-SU-2023:4758-1: An update that solves one vulnerability, contains one feature and has 30 security fixes can now be installed.

Category: security (important)
Bug References: 1191143, 1204235, 1207012, 1207532, 1210928, 1210930, 1211355, 1211560, 1211649, 1212695, 1212904, 1213469, 1214186, 1214471, 1214601, 1214759, 1215209, 1215514, 1215949, 1216030, 1216041, 1216085, 1216128, 1216380, 1216506, 1216555, 1216690, 1216754, 1217038, 1217223, 1217224
CVE References: CVE-2023-22644
Jira References: MSQA-708
Sources used:
openSUSE Leap 15.4 (src): release-notes-susemanager-4.3.10-150400.3.93.1, release-notes-susemanager-proxy-4.3.10-150400.3.72.1
SUSE Manager Proxy 4.3 (src): release-notes-susemanager-proxy-4.3.10-150400.3.72.1
SUSE Manager Retail Branch Server 4.3 (src): release-notes-susemanager-proxy-4.3.10-150400.3.72.1
SUSE Manager Server 4.3 (src): release-notes-susemanager-4.3.10-150400.3.93.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-12-13 12:37:03 UTC 
SUSE-SU-2023:4737-1: An update that solves one vulnerability, contains two features and has 30 security fixes can now be installed.

Category: security (important)
Bug References: 1191143, 1204235, 1207012, 1207532, 1210928, 1210930, 1211355, 1211560, 1211649, 1212695, 1212904, 1213469, 1214186, 1214471, 1214601, 1214759, 1215209, 1215514, 1215949, 1216030, 1216041, 1216085, 1216128, 1216380, 1216506, 1216555, 1216690, 1216754, 1217038, 1217223, 1217224
CVE References: CVE-2023-22644
Jira References: MSQA-708, SUMA-282
Sources used:
openSUSE Leap 15.4 (src): apache2-mod_wsgi-4.7.1-150400.3.9.4
openSUSE Leap 15.5 (src): apache2-mod_wsgi-4.7.1-150400.3.9.4
Public Cloud Module 15-SP4 (src): apache2-mod_wsgi-4.7.1-150400.3.9.4
Public Cloud Module 15-SP5 (src): apache2-mod_wsgi-4.7.1-150400.3.9.4
SUSE Manager Proxy 4.3 Module 4.3 (src): spacecmd-4.3.25-150400.3.30.5, apache2-mod_wsgi-4.7.1-150400.3.9.4, spacewalk-proxy-4.3.17-150400.3.23.5, spacewalk-web-4.3.36-150400.3.36.7, spacewalk-client-tools-4.3.17-150400.3.21.6, spacewalk-backend-4.3.25-150400.3.33.7, susemanager-tftpsync-recv-4.3.9-150400.3.9.5
SUSE Manager Server 4.3 Module 4.3 (src): spacewalk-search-4.3.10-150400.3.15.4, susemanager-sync-data-4.3.14-150400.3.17.5, inter-server-sync-0.3.1-150400.3.24.5, uyuni-reportdb-schema-4.3.8-150400.3.9.6, susemanager-schema-4.3.22-150400.3.30.5, spacewalk-java-4.3.69-150400.3.69.5, susemanager-docs_en-4.3-150400.9.50.5, subscription-matcher-0.33-150400.3.16.3, susemanager-sls-4.3.37-150400.3.37.5, spacewalk-client-tools-4.3.17-150400.3.21.6, susemanager-4.3.33-150400.3.42.4, billing-data-service-4.3.2-150400.10.12.5, spacecmd-4.3.25-150400.3.30.5, spacewalk-backend-4.3.25-150400.3.33.7, apache2-mod_wsgi-4.7.1-150400.3.9.4, spacewalk-web-4.3.36-150400.3.36.7

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Paolo Perego 2023-12-13 13:08:34 UTC 
Fixed closing the issue