-
- Novice
- Posts: 6
- Liked: never
- Joined: Mar 11, 2019 9:33 am
- Full Name: Steve Lane
- Contact:
Password stored in Plain Text
I have just been reviewing some log files for the VBO365, before generating a case, to see if i can work out what is going on and have noticed that the account that is used to manage, has the password stored in plain text in the log files (when generating the support bundle).
I am sure this is not right and it should be encrypted.
Is there a way to do this, before I generate and send some log files to Veeam? Is this an oversight, as I cant remember this in the past (unless I didn't look closely enough..)
I am using version 6.1.0.254 P20220825
Thanks
Steve
I am sure this is not right and it should be encrypted.
Is there a way to do this, before I generate and send some log files to Veeam? Is this an oversight, as I cant remember this in the past (unless I didn't look closely enough..)
I am using version 6.1.0.254 P20220825
Thanks
Steve
-
- Product Manager
- Posts: 9848
- Liked: 2606 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password stored in Plain Text
Hi Steve
Can you maybe share the log file name with me?
There shouldn‘t be any passwords in plain text in the log files.
I would like to check that in my lab.
Maybe you can also provide an example (after masking the password with x or * of course).
Thanks
Fabian
Can you maybe share the log file name with me?
There shouldn‘t be any passwords in plain text in the log files.
I would like to check that in my lab.
Maybe you can also provide an example (after masking the password with x or * of course).
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 6
- Liked: never
- Joined: Mar 11, 2019 9:33 am
- Full Name: Steve Lane
- Contact:
Re: Password stored in Plain Text
Hi Fabian,
The file name is Veeam.Archiver.REST_2022_10_10_21_10_24
The text i can see is as follows (with the username *** out and the password ## out)
Please let me know if you need any more information.
Thanks
Steve
The file name is Veeam.Archiver.REST_2022_10_10_21_10_24
The text i can see is as follows (with the username *** out and the password ## out)
Code: Select all
[11.10.2022 00:32:49] 19 (5888) No resources to close
[11.10.2022 00:32:49] 19 (5888) Next lifetime resource pool check time: 11/10/2022 01:32:50 ArchiverServerSession.
[11.10.2022 00:32:49] 19 (5888) Lifetime resources pool check successfully completed: ArchiverServerSession
[11.10.2022 00:32:49] 213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs?limit=1000000&username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49] 213 (3692) Action started: Get jobs (API version: V5)
[11.10.2022 00:32:49] 213 (3692) Action completed successfully: Get jobs
[11.10.2022 00:32:49] 213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs/c40c7007-4d22-4ba2-8c4b-02cda00da763/JobSessions?username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49] 213 (3692) Action started: Get jobsessions (API version: V5)
[11.10.2022 00:32:49] 213 (3692) Action completed successfully: Get jobsessions
[11.10.2022 00:32:49] 213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/JobSessions/d61860d5-65c1-4e23-9b2b-bf8649d2e295/LogItems?limit=1000000&username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49] 213 (3692) Action started: Get log (API version: V5)
[11.10.2022 00:32:49] 213 (3692) Action completed successfully: Get log
[11.10.2022 00:32:49] 213 (3692) Request: GET https://lonvbo001.law.firm.priv:4443/v5/Jobs/0ecd98f3-3a90-4bcc-9619-0725784c07b2/JobSessions?username=LAW%5C***********&grant_type=password&password=##########
[11.10.2022 00:32:49] 213 (3692) Action started: Get jobsessions (API version: V5)
[11.10.2022 00:32:49] 213 (3692) Action completed successfully: Get jobsessions
Thanks
Steve
-
- Product Manager
- Posts: 9848
- Liked: 2606 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password stored in Plain Text
Hi Steve
I assume it's the same issue as this one: https://forums.veeam.com/post466090.html#p466090
Please check your scripts.
It seems that in your script the URLs are hardcoded with "?username=LAW%5C***********&grant_type=password&password=##########"
That's completely unnecessary and will not even be processed by the VB365 server. You have to provide the access token within the request header.
With advanced logging, our log file will log any URL that you have tried to access the VB365 RestAPI service. Each Webserver does that.
That's why there are Access Tokens. They are the only supported and secure way to authenticate with the VB365 Rest API Endpoints and will not be logged.
https://helpcenter.veeam.com/archive/vb ... ation.html
Thanks
Fabian
I assume it's the same issue as this one: https://forums.veeam.com/post466090.html#p466090
Please check your scripts.
It seems that in your script the URLs are hardcoded with "?username=LAW%5C***********&grant_type=password&password=##########"
That's completely unnecessary and will not even be processed by the VB365 server. You have to provide the access token within the request header.
With advanced logging, our log file will log any URL that you have tried to access the VB365 RestAPI service. Each Webserver does that.
That's why there are Access Tokens. They are the only supported and secure way to authenticate with the VB365 Rest API Endpoints and will not be logged.
https://helpcenter.veeam.com/archive/vb ... ation.html
Thanks
Fabian
Product Management Analyst @ Veeam Software
-
- Novice
- Posts: 6
- Liked: never
- Joined: Mar 11, 2019 9:33 am
- Full Name: Steve Lane
- Contact:
Re: Password stored in Plain Text
Hi Fabian,
That link doesnt work for the post you sent me. In addition, we are not using any scripts, that we are aware of and the config is pretty much out of the box.
Shall I arrange a support case to investigate this further?
Thanks
Steve
That link doesnt work for the post you sent me. In addition, we are not using any scripts, that we are aware of and the config is pretty much out of the box.
Shall I arrange a support case to investigate this further?
Thanks
Steve
-
- Product Manager
- Posts: 9848
- Liked: 2606 times
- Joined: May 13, 2017 4:51 pm
- Full Name: Fabian K.
- Location: Switzerland
- Contact:
Re: Password stored in Plain Text
I updated the link. It should work now.
There should be a third-party tool which is accessing this URLs:
https://lonvbo001.law.firm.priv:4443/v5/JobSessions
Any chance, that you have a monitoring or ticketing system in place?
Thanks
Fabian
There should be a third-party tool which is accessing this URLs:
https://lonvbo001.law.firm.priv:4443/v5/JobSessions
Any chance, that you have a monitoring or ticketing system in place?
Thanks
Fabian
Product Management Analyst @ Veeam Software
Who is online
Users browsing this forum: Semrush [Bot] and 17 guests