Last updated date: 5th May 2023

Advisory publication date: 18th April 2023

Summary

This advisory discloses one critical vulnerability that can lead to disclosure of user passwords via CloverDX Server audit logs. The vulnerability affects CloverDX versions from 5.14 to 5.17.2 – see full list in the Affected product versions section.

The vulnerability can be easily prevented by disabling audit log and deleting existing audit log files. See more details in Mitigation section.

As of 2nd May 2023, all supported versions of CloverDX have a fix available. See below for more details.

Am I affected?

To quickly verify whether you are affected, you can verify the following on each of your CloverDX instances. You are affected if all the following conditions are true

1. You are using one of the affected versions (CloverDX 5.14.0 to CloverDX 5.17.2). See more details in Affected product versions section.
2. You are not using single sign-on in CloverDX Server (i.e., you are using internally managed accounts or use LDAP without single sign-on).
3. You did not disable your audit log. To see whether audit log is enabled, check the value of logging.logger.server_audit.enabled property via Configuration > CloverDX Info > Server Properties in CloverDX Server Console.

If you are affected, review the What you need to do section below.

CVE ID(s)

• CVE-2023-31056

Affected product versions

• CloverDX 5.17.x before 5.17.3
• CloverDX 5.16.x before 5.16.2
• CloverDX 5.15.x before 5.15.4
• CloverDX 5.14.x – this version is retired and no longer receives security fixes.
• Versions before CloverDX 5.14.0 are not affected by this vulnerability.

Fixed product versions

• CloverDX 6.0.0: see release notes for more details.
• CloverDX 5.17.3: see release notes for more details.
• CloverDX 5.16.2: see release notes for more details.
• CloverDX 5.15.4: see release notes for more details.

Vulnerabilities

CVE-2023-31056: Audit log leaking sensitive data

CloverDX creates various plain-text log files as part of its operation. These logs are stored in cloverlogs.dir which resolves to ${java.io.tmpdir}/cloverlogs directory by default.

Audit log (server-audit.log file) stores information about API calls to the Server and typically is used to audit user actions (e.g., log-ins, user interface actions, API calls etc.).

The audit log stores parameters of many of these calls and in CloverDX 5.14 a vulnerability was introduced that causes the log to also store some sensitive data (master password and user passwords) when user logs into the Server Console or when master password is changed.

Audit log is not necessary for the Server to function and can be easily disabled. However, by default it is enabled in the affected versions of CloverDX.

• CVE details: CVE-2023-31056 (NVD)
• Severity: critical
• CVSS 3.1 score: 9.1
• CVSS 3.1 vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
• CloverDX issue tracker: CLO-25724, CLO-23822

Fix

We recommend all customers to upgrade to CloverDX 6.0 or CloverDX 5.17.3 in which the vulnerability is fixed. Before the upgrade, please review the Mitigation section for details about how to disable the audit log.

What you need to do

• 6.0.x users – no need to do anything, CloverDX 6.0 is not affected by the vulnerability.
• 5.17.x before 5.17.3 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.17.3 (easy update) or upgrade to the latest version of CloverDX.
• 5.16.x before 5.16.2 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.16.2 (easy update) or upgrade to the latest version of CloverDX.
• 5.15.x before 5.15.4 users – disable and delete audit log immediately (see Mitigation section) and then update to 5.15.4 (easy update) or upgrade to the latest version of CloverDX.
• 5.14.x users – disable and delete audit log immediately (see Mitigation section) and then upgrade to the latest version of CloverDX (CloverDX 5.14 is retired and does not receive security fixes anymore).
• Older versions – upgrade to CloverDX 5.16.1 (recommended) or any other fixed version.

Mitigation

Audit log is optional and can be easily disabled via CloverDX configuration. To disable the log, set logging.logger.server_audit.enabled configuration property to false.

This can be done via CloverDX Server Console: log-in as administrator and go to Configuration > Setup > Configuration file and add a line like this:

logging.logger.server_audit.enabled = false

If the line above exists, change the value to false. Save the configuration file and then restart CloverDX Server (note that restart of the Worker is not enough - whole Server must be restarted for the setting to take effect).

Once the log is disabled, delete server-audit.log file from your log directory. Log directory is configured via cloverlogs.dir which resolves to ${java.io.tmpdir}/cloverlogs by default.

Support

If you did not receive this email directly and you want to receive Security Advisory emails like this in the future, subscribe to the CloverDX Security Alerts mailing list.

If you have any questions or concerns regarding this advisory, please raise a CloverCARE support request via Customer Portal.

References

• CloverDX Security policy
• CloverDX Support policy

Update history

• 2023-05-04 – added information about fixed versions 5.15.4 and 5.16.2. Minor clarification of wording in some sections.
• 2023-04-24 – Added CVE number for the vulnerability.
• 2023-04-19 – Clarified issues linked to CVE – removed unrelated issue CLO-25056. Minor formatting changes.
• 2023-04-18 – This advisory was first published.