CVE-2024-53865
📋 TL;DR
The zhmcclient Python library logs sensitive password properties in clear text when certain API functions are called. This exposes credentials like FTP passwords, master passwords, and LDAP bind passwords to anyone with access to the logs. Only users who have enabled specific loggers (zhmcclient.api or zhmcclient.hmc) and use the affected functions are impacted.
💻 Affected Systems
- zhmcclient
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers with log access can steal credentials, potentially compromising IBM Z HMC systems, partitions, LDAP integrations, and administrative accounts, leading to full system takeover.
Likely Case
Internal users or attackers with log access can harvest credentials from logs, enabling unauthorized access to HMC-managed resources and sensitive systems.
If Mitigated
With proper log access controls and monitoring, credential exposure is limited, but logs remain a persistent risk if not secured.
🎯 Exploit Status
Exploitation is passive; attackers simply read logs to obtain credentials without active exploitation steps.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.18.1
Vendor Advisory: https://github.com/zhmcclient/python-zhmcclient/security/advisories/GHSA-p57h-3cmc-xpjq
Restart Required: No
Instructions:
1. Upgrade zhmcclient to version 1.18.1 or later using pip: 'pip install --upgrade zhmcclient'. 2. Verify the upgrade with 'pip show zhmcclient'. 3. No restart is required, but ensure applications using the library reload the updated version.
🔧 Temporary Workarounds
Disable vulnerable loggers
allDisable the 'zhmcclient.api' and 'zhmcclient.hmc' Python loggers to prevent credential logging.
import logging
logging.getLogger('zhmcclient.api').setLevel(logging.WARNING)
logging.getLogger('zhmcclient.hmc').setLevel(logging.WARNING)
🧯 If You Can't Patch
- Restrict access to log files containing zhmcclient logs to authorized personnel only.
- Implement log monitoring and alerting for any clear-text password entries in logs.
🔍 How to Verify
Check if Vulnerable:
Check if zhmcclient version is below 1.18.1 and if loggers 'zhmcclient.api' or 'zhmcclient.hmc' are enabled at INFO or DEBUG level.Check Version:
pip show zhmcclient | grep VersionVerify Fix Applied:
Confirm zhmcclient version is 1.18.1 or later and test that sensitive properties are no longer logged in clear text.📡 Detection & Monitoring
Log Indicators:
- Clear-text entries of 'boot-ftp-password', 'ssc-master-pw', 'zaware-master-pw', 'password', or 'bind-password' in logs.
Network Indicators:
- None - this is a local logging issue.
SIEM Query:
Search logs for patterns like 'password=*' or 'bind-password=*' in context of zhmcclient.