Details
-
Bug
-
Resolution: Won't Fix
-
High
-
None
-
6.0.7, 6.1.4, 6.2.4
-
2
-
Severity 2 - Major
-
1
-
Description
Issue
Running Synchrony as a stand-alone service for data center instances exposes sensitive information such as the database username/password, and public/private keys. These are all passed as JVM arguments. This means anyone with command-line access to the server can see this information via a ps command.
To Reproduce
- Set up Synchrony as a stand-alone service
- Start Synchrony
- Run ps -ef | grep synchrony
- Results:
synchro+ 1707 1 89 18:19 ? 00:00:08 java -Xms2048k -Xmx1024m -classpath /opt/atlassian/synchrony/synchrony-standalone.jar:/opt/atlassian/synchrony/postgresql-42.1.1.jar -Dsynchrony.cluster.impl=hazelcast-btf -Dsynchrony.port=8091 -Dcluster.listen.port=5701 -Dsynchrony.cluster.base.port=25500 -Dcluster.join.type=tcpip -Dcluster.join.tcpip.members=192.168.56.1 -Dsynchrony.context.path=/synchrony -Dsynchrony.cluster.bind=192.168.56.102 -Dsynchrony.bind=192.168.56.102 -Dcluster.interfaces=192.168.56.102 -Dsynchrony.service.url=http://192.168.56.102:8091/synchrony -Dreza.service.url=http://192.168.56.102:8091/synchrony -Djwt.private.key=<PRIVATE_KEY_HERE> -Djwt.public.key=<PUBLIC_KEY_HERE> Dsynchrony.database.url=jdbc:postgresql://10.0.2.2:5432/confluence631 -Dsynchrony.database.username=<DATABASE_USERNAME_HERE> -Dsynchrony.database.password=<DATABASE_PASSWORD_HERE> -Djava.net.preferIPv4Stack=true -Dip.whitelist=192.168.56.1,localhost synchrony.core sql
jason 1728 1674 0 18:19 pts/0 00:00:00 grep --color=auto synchrony
Suggestion
Make Synchrony read this information from a file that can be locked to only be readable by the user running Synchrony. This could be a copy of confluence.cfg.xml or a new file.
Workaround
Prevent unnecessary users from having shell access to the box on which Synchrony is running; i.e. deny logon by disabling or removing unneeded users from the synchrony system. Also, for Linux systems running a kernel version newer than 3.3 you can mount /proc with hidepid=1 or 2, more information on doing this can be found at https://www.cyberciti.biz/faq/linux-hide-processes-from-other-users/ .