[
https://issues.apache.org/jira/browse/CASSANDRA-20856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18016336#comment-18016336
]
Hayato Shimizu commented on CASSANDRA-20856:
--------------------------------------------
Just to emphasise the redaction requirement from an enterprise perspective, the
separation of concerns is an important factor here. Enterprises often have
multiple operational personas. People who provision encryption passwords may
not be the same as the CQL admin.
Exposing plaintext secrets, even to CQL superusers, breaks this separation of
concerns. A common compliance requirement (ISO 27001, SOC 2, PCI DSS) is that
sensitive key material and passwords must not be retrievable like this. Also,
this is worth a quick read - https://cwe.mitre.org/data/definitions/200.html
> system_views.settings exposes encryption and TDE passwords in plaintext over
> CQL
> --------------------------------------------------------------------------------
>
> Key: CASSANDRA-20856
> URL: https://issues.apache.org/jira/browse/CASSANDRA-20856
> Project: Apache Cassandra
> Issue Type: Bug
> Components: Feature/Virtual Tables
> Reporter: Hayato Shimizu
> Assignee: Stefan Miklosovic
> Priority: Normal
> Fix For: 4.1.x, 5.0.x, 5.x
>
> Time Spent: 1h 10m
> Remaining Estimate: 0h
>
> Selecting from the virtual table {{system_views.settings}} shows the
> property values cassandra.yaml faithfully, including the ones that contain
> passwords.
>
> Any user with {{SELECT}} on {{system_views.settings}} can read these secrets.
>
> {code:java}
> cqlsh:system_views> select * from settings where name =
> 'client_encryption_options.truststore_password';
> name | value
> -----------------------------------------------+----------
> client_encryption_options.truststore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'client_encryption_options.keystore_password';
> name | value
> ---------------------------------------------+----------
> client_encryption_options.keystore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'server_encryption_options.truststore_password';
> name | value
> -----------------------------------------------+----------
> server_encryption_options.truststore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from settings where name =
> 'server_encryption_options.keystore_password';
> name | value
> ---------------------------------------------+----------
> server_encryption_options.keystore_password | changeit
> (1 rows)
> cqlsh:system_views> select * from system_views.settings where name =
> 'transparent_data_encryption_options.key_provider.parameters';
> name | value
> -------------------------------------------------------------+--------------------------------------------------------------------------------------------------
> transparent_data_encryption_options.key_provider.parameters |
> {keystore_password=cassandra, keystore=conf/.keystore, store_type=JCEKS,
> key_password=cassandra} {code}
> Passwords and secrets should be handled as a special case and not exposed in
> plain text in any of the virtual tables.
> Observed in 4.1.x and 5.0.x
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
