Objective
Any user with access to the system running an instance of the On-Premises Contrast UI can list running processes from the command line and potentially gain access to sensitive information such as the Java TrustStore password.
For example, running the command ps aux | grep java
might result in an output like this:
contras+ 10977 103 29.5 12888812 4802512 ? Sl 19:52 3:47 /app/contrast/jre/bin/java -server -Dcontrast.home=${installer:sys.installationDir} -enableassertions -Djava.net.preferIPv4Stack=true -XX:+UseG1GC -XX:+PrintVMOptions -XX:+PrintCommandLineFlags -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/app/contrast/logs -Dfile.encoding=utf-8 -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -Xloggc:/app/contrast/gc.log -Dorg.owasp.esapi.logSpecial.discard=true -XX:+UseStringDeduplication -server -Djava.awt.headless=true --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.base/sun.net.spi=ALL-UNNAMED --add-opens=java.base/sun.net.spi=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.base/sun.security.ssl=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED -Djavax.net.ssl.trustStore=/app/contrast/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=mytruststorepassword -classpath /app/contrast/.install4j/i4jruntime.jar:/app/contrast/.install4j/launcher172586ef.jar:/app/contrast/lib/* install4j.com.contrastsecurity.teamserver.Server start --contrast.home=${installer:sys.installationDir}
This article details how to obfuscate such sensitive data.
Process
Embedded Tomcat
When installing Contrast using the installer, the resulting UI will run on an embedded version of Tomcat. The embedded version of Tomcat has custom methods of configuration that differ from the methods used by a standalone Tomcat installation.
Custom environment variables that are visible only in the context of the running Tomcat server can be added to an Install4j configuration file (the embedded Contrast installer uses Install4j) and then referenced in custom JVM options, resulting in the values being obfuscated in the running process command line.
To use the above example, you could add a TrustStore password to the configuration file - which you can find at $CONTRAST_HOME/.install4j/response.varfile
like so:
trustStorePassword=myp@$$w0rd
and then configure the Contrast Server JVM options by editing $CONTRAST_HOME/bin/contrast-server.vmoptions
to reference this variable like so:
-Djavax.net.ssl.trustStorePassword=${installer:TrustStorePassword}
Now, the running process will show up as follows, with the password obfuscated:
contras+ 10977 103 29.5 12888812 4802512 ? Sl 19:52 3:47 /app/contrast/jre/bin/java -server -Dcontrast.home=${installer:sys.installationDir} -enableassertions -Djava.net.preferIPv4Stack=true -XX:+UseG1GC -XX:+PrintVMOptions -XX:+PrintCommandLineFlags -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/app/contrast/logs -Dfile.encoding=utf-8 -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -Xloggc:/app/contrast/gc.log -Dorg.owasp.esapi.logSpecial.discard=true -XX:+UseStringDeduplication -server -Djava.awt.headless=true --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.base/sun.net.spi=ALL-UNNAMED --add-opens=java.base/sun.net.spi=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.base/sun.security.ssl=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED -Djavax.net.ssl.trustStore=/app/contrast/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=${installer.TrustStorePassword} -classpath /app/contrast/.install4j/i4jruntime.jar:/app/contrast/.install4j/launcher172586ef.jar:/app/contrast/lib/* install4j.com.contrastsecurity.teamserver.Server start --contrast.home=${installer:sys.installationDir}
Standalone Tomcat
For a standalone instance of Tomcat, a similar process is used except that, in this case, the configuration file that the environment variable can be added to is $CATALINA_BASE/conf/catalina.properties and when referencing the variable in the Contrast Server JVM options, it would look like this:
-Djavax.net.ssl.trustStorePassword=${TrustStorePassword}
Related Articles