[MODEXPS-17] Username and password expressed in plain text in module logs - FOLIO Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed (View Workflow)
Priority: P1
Resolution: Done
Affects Version/s: 1.0.3
Fix Version/s: 1.0.4
Labels:
- R1
- security
Environment:

Multi-node K8s cluster backed by vSphere

Template:
Sprint:
Concorde - Sprint 113
Story Points:
2
Development Team:
Scout
Release:
R1 2021 Hot Fix #1
Hot Fix Approved by Cap Planning?:
Yes
Hot Fix Approval Comments:
Approved by Security Team (including Mike Gorrell, a member of Cap Planning).
Affected Institution:

TAMU

Description

Update: Approved as R1 2021 Hot Fix by Security Team (including Mike Gorrell) on May 13, 2021.

In the Docker/module logs, when the module first starts the database admin username and password are expressed in plain text. This is a security risk.

Example of the log:

exec java -XX:MaxRAMPercentage=85.0 -Dspring.datasource.username=folio_admin -Dspring.datasource.password=password -Dspring.datasource.url=jdbc:postgresql://pg-folio:5432/okapi_modules -Dspring.kafka.bootstrap-servers=http://kafka-r1:9092 -Dspring.datasource.username=folio_admin -Dspring.datasource.password=password -Dspring.datasource.url=jdbc:postgresql://pg-folio:5432/okapi_modules -Dspring.kafka.bootstrap-servers=http://kafka-r1:9092 -XX:+ExitOnOutOfMemoryError -cp . -jar /usr/verticles/mod-data-export-spring.jar

TestRail: Results

Attachments

Activity

People

Assignee:: Jason Root

Reporter:: Jason Root

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 05/May/21 1:44 PM

Updated:: 27/May/21 8:56 PM

Resolved:: 06/May/21 8:37 AM

Username and password expressed in plain text in module logs