New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Elasticsearch credentials are printed in startup log #4804

Closed
lennartkoopmann opened this Issue May 23, 2018 · 1 comment

Comments

Projects
None yet
3 participants
@lennartkoopmann
Member

lennartkoopmann commented May 23, 2018

When starting Graylog, the full URI to all Elasticsearch servers in the pool is printed and it includes the authentication credentials.

[AbstractJestClient] Setting server pool to a list of 1 servers: [http://johndoe:secret@127.0.0.1:9200]

Authentication credentials should never be printed anywhere.

joschi added a commit to graylog-labs/Jest that referenced this issue May 24, 2018

Scrub server URIs before logging them in AbstractJestClient
As a best practice, access credentials such as the user info in the URI of Elasticsearch node URIs
should never be logged in plaintext.

Refs Graylog2/graylog2-server#4804

joschi added a commit to graylog-labs/Jest that referenced this issue May 24, 2018

Scrub server URIs before logging them in AbstractJestClient
As a best practice, access credentials such as the user info in the URI of Elasticsearch node URIs
should never be logged in plaintext.

Refs Graylog2/graylog2-server#4804

(cherry picked from commit 55ad3d5)

joschi added a commit to graylog-labs/Jest that referenced this issue May 24, 2018

Scrub server URIs before logging them in AbstractJestClient
As a best practice, access credentials such as the user info in the URI of Elasticsearch node URIs
should never be logged in plaintext.

Refs Graylog2/graylog2-server#4804

(cherry picked from commit 55ad3d5)
@joschi

This comment has been minimized.

Contributor

joschi commented May 24, 2018

@joschi joschi self-assigned this May 24, 2018

@joschi joschi added this to the 3.0.0 milestone May 24, 2018

joschi added a commit that referenced this issue May 24, 2018

@bernd bernd added the security label May 24, 2018

@bernd bernd closed this in #4805 May 24, 2018

bernd added a commit that referenced this issue May 24, 2018

joschi added a commit that referenced this issue May 24, 2018

bernd added a commit that referenced this issue May 24, 2018

@bernd bernd modified the milestones: 3.0.0, 2.4.5 May 25, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment