Leaking LDAP Manager password

Anyone realize that the password for the management account is leaked through the console logging?

I’m using the Run distribution in a Docker container.
I’m retrieving the database and ldap passwords from AWS secrets manager and starting camunda with them as parameters (I modified the start.sh to add some AWS CLI commands and am not storing them in the configuration yaml files.)

So in the docker console logs I get a line that looks like this. (Notice the <LEAKING PASSWORD for the managerDN>)

2022-01-03 16:32:16.732  INFO 18 --- [           main] org.camunda.bpm.engine.cfg               : ENGINE-12003 Plugin 'CompositeProcessEnginePlugin[genericPropertiesConfiguration, camundaDeploymentConfiguration, camundaProcessEngineConfiguration, camundaDatasourceConfiguration, camundaJobConfiguration, camundaHistoryConfiguration, camundaMetricsConfiguration, camundaAuthorizationConfiguration, failedJobConfiguration, com.nuveen.camunda.ops.plugin.integration.NuvOpsEnginePlugin@46cb98a3, CamundaBpmRunLdapProperty [enabled=true, initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory, securityAuthentication=simple, contextProperties={}, serverUrl=ldaps://<Active Directory LDAP>:636, managerDn=<service account for LDAP Authentication>, managerPassword=<LEAKING PASSWORD for the managerDN>, baseDn=<DN of Active Directory>, userDnPattern=, userSearchBase=, userSearchFilter=(objectclass=person), groupSearchBase=, groupSearchFilter=(objectCategory=group), userIdAttribute=uid, userFirstnameAttribute=givenName, userLastnameAttribute=sn, userEmailAttribute=email, userPasswordAttribute=userpassword, groupIdAttribute=distinguishedName, groupNameAttribute=sAMAccountName, groupTypeAttribute=, groupMemberAttribute=member, sortControlSupported=false, useSsl=true, usePosixGroups=false, allowAnonymousLogin=false, authorizationCheckEnabled=true], eventPublisherPlugin, ApplicationContextClassloaderSwitchPlugin, SpringBootSpinProcessEnginePlugin]' activated on process engine 'default'

Is there any way to turn this log message off? Or change it?

-Doug

Hi @DGilmour22,

you can configure the logging level of the category org.camunda.bpm.engine.cfg as WARN to supress the output.

For example, add

logging:
  level:
    '[org.camunda.bpm.engine.cfg]': WARN

to your yaml file.

As this shlould be added to the production.yaml by default, could you please report the vulnerability here: Report a Vulnerability | docs.camunda.org

Cheers, Ingo

1 Like

That worked. Thanks.