Vaion-262: plaintext password in audit log when user changes their password

Release Date

11th March 2020.

Overview

When a manually added user changes their password in "My profile", their old password is shown in plaintext in the audit log.

Affected Products

  • vcore:
    • All versions up to and including 1.4.2.
    • All 1.5 versions up to and including 1.5.1.

Unaffected Products

  • vcore:
    • All 1.4 versions from 1.4.3.
    • All versions from 1.5.2.
  • vcam: All versions.
  • vcloud: All versions.

Resolution

This issue has been fixed in vcore version 1.4.3 and 1.5.2. We recommend that all vcore installations running an affected version upgrade to the latest release as soon as possible.

Vulnerability Information

Mitigations

This vulnerability can be mitigated by deleting the affected logs. Do this by connecting to the vcore SSH console and executing the following command (note that this will delete all logs):

Copy
vplat# advanced clear-logs

Acknowledgements

Issue found internally by Vaion.

Disclosure Timeline

  • 09/03/2020 Issue found internally by Vaion
  • 09/03/2020 Fix identified
  • 11/03/2020 Patched vcore released
  • 11/03/2020 Vulnerability publicly disclosed