Security breach UrbanCode Deploy WebSphere plugin

The WebSphere Application Server – Deployment plug-in provides a number of steps for deploying application files to and performing administrative tasks for WebSphere Application Server. The plug-in also contains a number of steps that are related to configuration management, such as creating data sources and JMS requests. These configuration steps are deprecated; instead, use the WebSphere Application Server – Configure plug-in for all configuration-related activities.

I discovered that a python file is created for running the flow previously defined in the IBM Urban Code Deploy. This file is executed by an user authorized to perform such activity in the server. This user comes from LDAP or Local and is authenticated from IBM Urban Code Deploy to IBM WebSphere Application Server through SOAP Connection.

The security breach I found is that the process I described above is in plain-text and can be easily view from processes running in the Server.

This vulnerability allow the attacker knows sensitive information, such as Administrative UserName and Password, as well the script content executed by DevOps solution defined previously in the environment.

My suggestion is to call a local file encrypted and read by UrbanCode Deploy plugin locally only. It will isolate the plain-text vulnerability and avoid data breach as I shown here.

For example:

First creates the parent process:

root 19923144 17170548 0 Oct 03 - 3:27 /usr/WebSphere/AppServer/java/bin/java -Xbootclasspath/p: -Dws.output.encoding=console -Dosgi.install.area=/usr/WebSphere/AppServer -Dosgi.configuration.area=/usr/WebSphere/AppServer/profiles/Dmgr/configuration -Dcom.ibm.CORBA.ConfigURL=file:/usr/WebSphere/AppServer/profiles/Dmgr/properties/sas.client.props -Dcom.ibm.SSL.ConfigURL=file:/usr/WebSphere/AppServer/profiles/Dmgr/properties/ssl.client.props -Dcom.ibm.SOAP.ConfigURL=file:/usr/WebSphere/AppServer/profiles/Dmgr/properties/soap.client.props -Djava.security.auth.login.config=/usr/WebSphere/AppServer/profiles/Dmgr/properties/wsjaas_client.conf -Dcom.ibm.ws.scripting.wsadminprops= -Dconfig_consistency_check= -Dwas.install.root=/usr/WebSphere/AppServer -Duser.install.root=/usr/WebSphere/AppServer/profiles/Dmgr -Dwas.repository.root=/usr/WebSphere/AppServer/profiles/Dmgr/config -Dlocal.cell=g03acxwass001Cell -Dlocal.node=g03acxwass001CellManager -Dcom.ibm.ws.management.standalone=true -Dcom.ibm.itp.location=/usr/WebSphere/AppServer/bin -Dws.ext.dirs=/usr/WebSphere/AppServer/java/lib:/usr/WebSphere/AppServer/classes:/usr/WebSphere/AppServer/lib:/usr/WebSphere/AppServer/installedChannels:/usr/WebSphere/AppServer/lib/ext:/usr/WebSphere/AppServer/web/help:/usr/WebSphere/AppServer/deploytool/itp/plugins/com.ibm.etools.ejbdeploy/runtime -Xms256m -Xmx256m -Xquickstart -Djava.util.logging.manager=com.ibm.ws.bootstrap.WsLogManager -Djava.util.logging.configureByServer=true -classpath /usr/WebSphere/AppServer/profiles/Dmgr/properties:/usr/WebSphere/AppServer/properties:/usr/WebSphere/AppServer/lib/startup.jar:/usr/WebSphere/AppServer/lib/bootstrap.jar:/usr/WebSphere/AppServer/lib/lmproxy.jar:/usr/WebSphere/AppServer/lib/urlprotocols.jar:/usr/WebSphere/AppServer/java/lib/tools.jar:/usr/WebSphere/AppServer/deploytool/itp/batchboot.jar:/usr/WebSphere/AppServer/deploytool/itp/batch2.jar com.ibm.wsspi.bootstrap.WSPreLauncher -nosplash -application com.ibm.ws.bootstrap.WSLauncher com.ibm.ws.admin.services.WsAdmin -lang jython -conntype SOAP -host g03acxwass001.ahe.boulder.ibm.com -port 8879 -user admin@company.com -password p@ssw0rd -f temp4935322167199991359.py
$

After that, the child process:

 root 17170548 10420360 0 Oct 03 - 0:00 /bin/sh /usr/WebSphere/AppServer/bin/wsadmin.sh -lang jython -conntype SOAP -host g03acxwass001.ahe.boulder.ibm.com -port 8879 -user admin@company.com -password p@ssw0rd -f temp4935322167199991359.py
Anúncios

Deixe um comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair /  Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair /  Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair /  Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair /  Alterar )

Conectando a %s