Werk #17495: Stop LDAP integration from logging passwords to Apache error_log when LDAP log level is debug
| Component | Setup | ||||||||
| Title | Stop LDAP integration from logging passwords to Apache error_log when LDAP log level is debug | ||||||||
| Date | Feb 6, 2025 | ||||||||
| Level | Trivial Change | ||||||||
| Class | Security Fix | ||||||||
| Compatibility | Compatible - no manual interaction needed | ||||||||
| Checkmk versions & editions |
|
We allow specifying the log level of various checkmk components in the
global settings. In previous versions, when setting the "LDAP" log level
to "Debug" under Global Settings > User Interface > Logging while having
an LDAP integration configured, a trace of each function call to the
python-ldap library would be written to the var/log/apache/error_log
file. These traces might for example include user names and clear
passwords of each login attempt.
With this werk, we rework the "Debug" log level of our LDAP integration
and will no longer log these traces to the var/log/apache/error_log
file.
We thank an external contributer for reporting this issue.
Affected Versions:
- 2.3.0
- 2.2.0
- 2.1.0 (EOL)
Mitigations:
If you are unable to apply this update, set the log level of "LDAP" to any other value than "Debug" to not be affected by this vulnerability.
Indicators of Compromise:
You have been exposed to this vulnerability if the file
var/log/apache/error_log lists any function calls to the ldap
library as follows
*** <ldap.ldapobject.ReconnectLDAPObject object at {addr}> {ldap_url} - ReconnectLDAPObject.simple_bind, referer: {checkmk_site}/check_mk/login.py
(('cn={user_name},ou=benutzer,dc=corp,dc=de', {password}, None, None), {}), referer: {checkmk_site}/check_mk/login.py
Vulnerability Management:
We have rated the issue with a CVSS score of 5.6 Medium
(CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:H/SC:N/SI:N/SA:N) and
assigned CVE-2025-1075.