The Deployment Monitoring Console (DMC), versions 8.3.7694 and earlier, allows unauthenticated access to the heap dump of the process memory via the Spring Boot Actuator endpoint. This heap dump may contain passwords, secrets and other confidential or proprietary data. We recommend that customers follow the steps below to resolve the issue immediately, but a fix will also be provided in the 8.4 release of the Deployment Monitoring Console, which will be released by August 15th, 2023.
Products Impacted
This vulnerability affects the Deployment Monitoring Console (DMC) component in Liquibase Enterprise (formerly known as DaticalDB). Liquibase Enterprise installations are only impacted if the Deployment Monitoring Console (DMC) is running.
Liquibase Pro and Liquibase Community editions are not affected by this issue.
Steps to Resolve
The steps below apply to all affected versions of DMC (8.3.7694 and earlier)
Check System for Vulnerability
To check whether the vulnerability exists on the DMC installation, you can navigate to the following URL: https:///actuator/heapdump
A heap dump is generated that can be scanned for confidential data.
Disable the endpoint
- Add a file called application.properties to the DMC server in the /datical-service/config directory
- Use the following content for the application.properties file content:
management.endpoints.enabled-by-default=false
management.endpoint.health.enabled=true
management.endpoint.info.enabled=true
management.endpoints.web.exposure.include=health,info,metrics - Ensure the file is readable and owned by the datical user and group using the command line on the DMC Server:
sudo chown : /datical-service/config/application.properties
sudo chmod ugo+r /datical-service/config/application.properties - Restart the DMC:
sudo /bin/datical-control service restart datical-service
Verify Resolution
After the restart, the endpoint should be disabled, and the heap dump should no longer be available.
- Navigate back to the URL: https:///actuator/heapdump
This application has no explicit mapping for /error, so you are seeing this as a fallback.
Additional Security Measures
After resolving the vulnerability, Liquibase also recommends updating the Postgres database password for the DMC in the event the password is exposed.
Updating the Postgres database password will require updates to any secret vaults housing the password and/or to any Liquibase Enterprise projects referencing the password.
If you have any questions or concerns, please reply to this email or open a support ticket at https://support.liquibase.com/tickets-view
Comments
0 comments
Article is closed for comments.