We're Moving!

The Vertica Forum is moving to a new OpenText Analytics Database (Vertica) Community.

Join us there to post discussion topics, learn about

product releases, share tips, access the blog, and much more.

Create My New Community Account Now


Vertica is leaking UD session parameters "secret" and "password" in DC table — Vertica Forum

Vertica is leaking UD session parameters "secret" and "password" in DC table

✭✭✭
in General Discussion

Hi,

Vertica is nicely hiding values of UD session parameters that contains "secret" and "password" in name, making them usable to pass sensitive info to UDx code.

For example, if you will check dc_requests_issued, value of parameter in ALTER SESSION ... will be masked. Same for sessions system view in "current_statement" column. Value of UD session parameter will be hidden in vertica.log.

Still, DC table dc_session_parameters is leaking value of UD session parameters "secret" and "password" in clear text. I can see all sensitive passwords in clear text. Bug observed in v 24.3.0-1.

Please inform security team about this issue.

Thank you
Sergey

Tagged:

Answers

This discussion has been closed.