-
Suggestion
-
Resolution: Done
-
None
-
None
Currently database password is stored in plain text format in crowd_home/crowd.cfg.xml file property “hibernate.connection.password”
Crowd should Encrypt the database password since it's in plain text in the crowd.cfg.xml l file or it could use the integrated authentication with the databases such as MSSQL database.
- is related to
-
- Closed
- is cloned by
-
KRAK-4557 Loading...
- mentioned in
-
-
-
-
-
-
-
-
-
-
- relates to
-
[CWD-4071] Encrypt Database Password in crowd.cfg.xml or use integrated authentication
Understand that Atlassian is using Hashicorp vault to address security vulnerabilities as per https://www.hashicorp.com/resources/how-hashicorp-vault-solves-the-top-3-cloud-security it would be helpful to other organizations if DB passwords are encrypted like Jira https://confluence.atlassian.com/jiracore/advanced-encryption-975040999.html . Hope Atlassian add pass encryption feature to all Atlassian products soon.
Update:: 2022/08/19
Confluence and Bamboo now incorporate DB password encryption but still CROWD doesn't have this DB password encryption feature. Our Information Security is mandating to encrypt all plain text passwords. Hope Atlassian adds pass encryption feature to CROWD soon.
I would be happy if they officially supported setting these passwords via environment variables. That way, we can use our own systems (Vault for example) to load the passwords into environment variables on startup.
It would be good if all Atlassian server application codebases operated similarly in this regard since our AppSec review (as I imagine would be most others) is conditioned not on just one server but multiple - Jira, Confluence, and Crowd in our case. As of the moment, only the Jira server supports database password encryption.
It is hard to believe Atlassian has completely blown this simple fix off for more than a decade, and won't bother to implement it.