Customer Portal

Knowledge Base

  1. CloverDX Customer Portal
  2. Knowledge base
  3. Security advisory April 2023

Security advisory April 2023

Avatar
Branislav Repcek
  • Updated
Follow

Last updated date: 5th May 2023

Advisory publication date: 18th April 2023

 

Summary

This advisory discloses one critical vulnerability that can lead to disclosure of user passwords via CloverDX Server audit logs. The vulnerability affects CloverDX versions from 5.14 to 5.17.2 – see full list in the Affected product versions section.

The vulnerability can be easily prevented by disabling audit log and deleting existing audit log files. See more details in Mitigation section.

As of 2nd May 2023, all supported versions of CloverDX have a fix available. See below for more details.

Am I affected?

To quickly verify whether you are affected, you can verify the following on each of your CloverDX instances. You are affected if all the following conditions are true

  1. You are using one of the affected versions (CloverDX 5.14.0 to CloverDX 5.17.2). See more details in Affected product versions section.
  2. You are not using single sign-on in CloverDX Server (i.e., you are using internally managed accounts or use LDAP without single sign-on).
  3. You did not disable your audit log. To see whether audit log is enabled, check the value of logging.logger.server_audit.enabled property via Configuration > CloverDX Info > Server Properties in CloverDX Server Console.

If you are affected, review the What you need to do section below.

CVE ID(s)

  • CVE-2023-31056

Affected product versions

  • CloverDX 5.17.x before 5.17.3
  • CloverDX 5.16.x before 5.16.2
  • CloverDX 5.15.x before 5.15.4
  • CloverDX 5.14.x – this version is retired and no longer receives security fixes.
  • Versions before CloverDX 5.14.0 are not affected by this vulnerability.

Fixed product versions

Vulnerabilities

CVE-2023-31056: Audit log leaking sensitive data

CloverDX creates various plain-text log files as part of its operation. These logs are stored in cloverlogs.dir which resolves to ${java.io.tmpdir}/cloverlogs directory by default.

Audit log (server-audit.log file) stores information about API calls to the Server and typically is used to audit user actions (e.g., log-ins, user interface actions, API calls etc.).

The audit log stores parameters of many of these calls and in CloverDX 5.14 a vulnerability was introduced that causes the log to also store some sensitive data (master password and user passwords) when user logs into the Server Console or when master password is changed.

Audit log is not necessary for the Server to function and can be easily disabled. However, by default it is enabled in the affected versions of CloverDX.

Fix

We recommend all customers to upgrade to CloverDX 6.0 or CloverDX 5.17.3 in which the vulnerability is fixed. Before the upgrade, please review the Mitigation section for details about how to disable the audit log.

What you need to do

  • 6.0.x users – no need to do anything, CloverDX 6.0 is not affected by the vulnerability.
  • 5.17.x before 5.17.3 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.17.3 (easy update) or upgrade to the latest version of CloverDX.
  • 5.16.x before 5.16.2 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.16.2 (easy update) or upgrade to the latest version of CloverDX.
  • 5.15.x before 5.15.4 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.15.4 (easy update) or upgrade to the latest version of CloverDX.
  • 5.14.x users – disable and delete audit log immediately (see Mitigation section) and then upgrade to the latest version of CloverDX (CloverDX 5.14 is retired and does not receive security fixes anymore).
  • Older versions – upgrade to CloverDX 5.16.1 (recommended) or any other fixed version.

Mitigation

Audit log is optional and can be easily disabled via CloverDX configuration. To disable the log, set logging.logger.server_audit.enabled configuration property to false.

This can be done via CloverDX Server Console: log-in as administrator and go to Configuration > Setup > Configuration file and add a line like this:

logging.logger.server_audit.enabled = false

If the line above exists, change the value to false. Save the configuration file and then restart CloverDX Server (note that restart of the Worker is not enough - whole Server must be restarted for the setting to take effect).

Once the log is disabled, delete server-audit.log file from your log directory. Log directory is configured via cloverlogs.dir which resolves to ${java.io.tmpdir}/cloverlogs by default.

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

References

Update history

  • 2023-05-04 – added information about fixed versions 5.15.4 and 5.16.2. Minor clarification of wording in some sections.
  • 2023-04-24 – Added CVE number for the vulnerability.
  • 2023-04-19 – Clarified issues linked to CVE – removed unrelated issue CLO-25056. Minor formatting changes.
  • 2023-04-18 – This advisory was first published.

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request

Comments 0

Please sign in to leave a comment.

Related articles

Articles in this section

Security advisory: Tomcat vulnerabilities (March 2025) Security advisory August 2024 Security advisory April 2023 Security advisories Resolving SFTP connection issue by re-enabling SSH-rsa Security advisory November 2022 – Text4Shell Security advisory November 2022 – OpenSSL Security advisory April 2022 – Spring4Shell Security advisory December 2021 Security advisory November 2021
See more