[AM SA #201801-02] Configuration password stored in plain text

WrenSecurity / wrenam

Community fork of OpenAM, an authentication and authorization system originally developed by ForgeRock.

Other

43 stars 27 forks source link

[AM SA #201801-02] Configuration password stored in plain text #137

Closed karelmaxa closed 1 year ago

karelmaxa commented 1 year ago

This PR adds encoding of server configuration passwords to resolve the security vulnerability published as a AM SA #201801-02. Components that use these passwords are ready to perform the decryption (e.g. CTSDataLayerConfiguration.java#L58).

pavelhoral commented 1 year ago

This should be probably accompanied with upgrade process to update existing configuration. Alternatively there should be a migration / upgrade instruction that can do that (can be as simple as SMS export and reimport).

karelmaxa commented 1 year ago

Yes, you're right. I have added an upgrade step to encrypt plain-text passwords in the server configuration during the upgrade process.