Describe the security issue
If a server/container is not dedicated to the engine, attackers may be able to read mirth.properties and keystore.jks, which can allow escalation of privilege or loss of nonrepudiation through misuse of database and ssl secrets.
Suggested remediation
Have the installer and server application set 600-equivalent privileges on the mirth.properties and keystore.jks files.
Workaround
Posix:
chmod 600 mirth.properties
chmod 600 keystore.jks
Windows:
Edit NTFS permissions on the files to:
- Remove read access to
BUILTIN\Users
- Add Full Control to
NT Service\Open Integration Engine
Scoring
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 5.5
Thanks to
Guus Verbeek and DIVD
Describe the security issue
If a server/container is not dedicated to the engine, attackers may be able to read mirth.properties and keystore.jks, which can allow escalation of privilege or loss of nonrepudiation through misuse of database and ssl secrets.
Suggested remediation
Have the installer and server application set 600-equivalent privileges on the mirth.properties and keystore.jks files.
Workaround
Posix:
Windows:
Edit NTFS permissions on the files to:
BUILTIN\UsersNT Service\Open Integration EngineScoring
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N 5.5
Thanks to
Guus Verbeek and DIVD