Resolved Issues

The following issues have been resolved with this release of the Data Sync Server:

Ticket ID Description
DS-38670 Fixed an issue in which the startIndex value for SCIM requests would be incorrect if the used LDAPSearch element had more than one baseDN defined in the scim-resources XML file.
DS-38897, DS-38908

Fixed the following issues, in which the server could have exposed some clear-text passwords in files on the server file system:

  • When creating an encrypted backup of the alarms, alerts, configuration, encryption settings, schema, tasks, or trust store backends, the password used to generate the encryption key, which might have been obtained from an encryption settings definition, could have been inadvertently written into the backup descriptor. This problem did not affect local DB backends (like userRoot), the LDAP changelog backend, or the replication database.
  • When running certain command-line tools with an argument that instructs the tool to read a password from a file, the password contained in that file could have been written into the server's tool invocation log instead of the path to that file. This issue affected the following tools:

    backup create-initial-config create-initial-proxy-config dsreplication
    enter-lockdown-mode export-ldif import-ldif ldappasswordmodify
    leave-lockdown-mode manage-tasks manage-topology migrate-ldap-schema
    parallel-update prepare-endpoint-server prepare-external-server realtime-sync
    rebuild-index re-encode-entries reload-http-connection-handler-certificates reload-index
    remove-defunct-server restore rotate-log stop-server

    Other tools are unaffected. Additionally, this issue included only passwords that were contained in files provided as command-line arguments. Passwords that were included in the tools.properties file, or in a file that tools.properties referenced, were not exposed.

In each of these cases, the files were written with permissions that made their contents accessible only to the system account that ran the server. Further, while administrative passwords might have been exposed in the tool invocation log, neither the passwords for regular users nor the data from their entries should have been affected. New automated tests help to ensure that such incidents no longer occur.

We recommend changing any administrative passwords that might have been compromised as a result of this issue. If the passphrase for an encryption settings definition might have been exposed, perform the following steps:

  1. Create a new encryption settings definition that is preferred for all subsequent encryption operations.
  2. Export your data to LDIF.
  3. Re-import your data to encrypt it with the new key.

You might want to re-encrypt or destroy existing backups, LDIF exports, or other data that is encrypted with a compromised key. You might also want to sanitize or destroy existing tool invocation log files that contain clear-text passwords.