Artifactory Encrypted Secret

ID

artifactory_pwd

Severity

low

Vendor

JFrog

Family

Password

Description

JFrog Artifactory is a Repository Manager for binary resources including libraries, remote artifacts and other third-party resources.

Artifactory self-managed edition may need to store secrets for authentication to remote services. These secrets are stored encrypted in the configuration file (artifactory.config.xml or artifactory.config.latest.xml), or system.yaml in more recent versions, with the key next to it (stored in a file artifactory.key).

There is an additional encryption key to encrypt local secrets, like the database password, stored in file master.key.

Security

If Artifactory configuration and encryption key files are leaked, decrypting JFrog’s encrypted secrets is rather trivial. For offline decryption, tools is available. You can assume that all encrypted secrets are compromised.

Examples

The following code shows a key file, which holds the decryption key for secrets stored in configuration files.

# artifactory.key
JS.25rLQ.AES128.7fc...Zuxu

An encrypted secret shown in artifactory.config.xml:

<config>
  ...
  <mailServer>
    <enabled>true</enabled>
    <host>smtp.gmail.com</host>
    <port>465</port>
    <username>user@gmail.com</username>
    <password>AM.25sB3.AES128.2cnbffVxxE...quiPqVY56ZP</password>
    <from>user@example.com</from>
  </mailServer>
  ...
</config>

Mitigation / Fix

  1. Assume that every credential found in the artifactory.config.xml or system.yaml is compromised. So it is recommended to renew each credential found, following the instructions of each target system.

  2. Check whether key encryption is enabled: Go to admin > Security > Security Configuration and edit the Password Encryption section.

  3. Restart your artifactory self-managed server. If key encryption is enabled, Artifactory will encrypt the password in the configuration files automatically. You can backup safely the configuration files once they are encrypted.

  4. Check access logs to ensure that the secret was not used by unintended actors during the compromised period. You need to check the access logs of the target systems.

  5. (Optional) Remove the Artifactory API key from the source code or committed configuration file.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference