Headline
CVE-2019-10212: DEBUG log for io.undertow.request.security if enabled leaks credentials to log files
A flaw was found in, all under 2.0.20, in the Undertow DEBUG log for io.undertow.request.security. If enabled, an attacker could abuse this flaw to obtain the user’s credentials from the log files.
Description Marian Rehak 2019-07-22 13:30:40 UTC
Undertow DEBUG log for io.undertow.request.security if enabled leaks credentials to log files with legacy security set.
Comment 4 Paramvir jindal 2019-08-05 04:51:22 UTC
Mitigation:
Use Elytron instead of legacy Security subsystem.
Comment 11 Joshua Padman 2019-08-12 02:28:28 UTC
This vulnerability is out of security support scope for the following product: * Red Hat Enterprise Application Platform 6
Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.
Comment 12 Paramvir jindal 2019-08-12 04:46:12 UTC
Statement:
All the Red Hat products using the undertow-core jar version 2.0.20 or before are affected.
Comment 14 errata-xmlrpc 2019-09-30 22:51:42 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 8
Via RHSA-2019:2937 https://access.redhat.com/errata/RHSA-2019:2937
Comment 15 errata-xmlrpc 2019-09-30 22:53:56 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 6
Via RHSA-2019:2935 https://access.redhat.com/errata/RHSA-2019:2935
Comment 16 errata-xmlrpc 2019-09-30 22:56:02 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform 7.2 for RHEL 7
Via RHSA-2019:2936 https://access.redhat.com/errata/RHSA-2019:2936
Comment 17 errata-xmlrpc 2019-09-30 22:58:15 UTC
This issue has been addressed in the following products:
Red Hat JBoss Enterprise Application Platform
Via RHSA-2019:2938 https://access.redhat.com/errata/RHSA-2019:2938
Comment 18 Product Security DevOps Team 2019-10-01 00:45:43 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):
https://access.redhat.com/security/cve/cve-2019-10212
Comment 20 errata-xmlrpc 2019-10-10 09:54:48 UTC
This issue has been addressed in the following products:
Red Hat Openshift Application Runtimes
Via RHSA-2019:2998 https://access.redhat.com/errata/RHSA-2019:2998
Comment 23 errata-xmlrpc 2020-03-05 12:54:01 UTC
This issue has been addressed in the following products:
Red Hat Data Grid 7.3.3
Via RHSA-2020:0727 https://access.redhat.com/errata/RHSA-2020:0727