fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode
Description
When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain the TLS private key, they could impersonate the chaincode server.
Recommendation
- Update to the fixed version of the chaincode runtime.
- Redact or remove existing logs that contain the TLS private key password.
- Change the TLS private key password.
Mitigation
Impacted deployments can mitigate the vulnerability by restricting the logging level to WARNING or higher so that INFO level logs are not written.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hyperledger Fabric Java chaincode logs TLS private key password in plaintext at INFO level when deployed in chaincode-as-a-service mode with TLS enabled.
Vulnerability
The vulnerability affects Hyperledger Fabric's Java chaincode implementation (fabric-chaincode-shim). When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server writes the TLS private key password in plaintext as part of its INFO level logging [2]. Affected versions are fabric-chaincode-shim >= 2.3.1 and <= 2.5.9 [2]. The code path is reachable when the chaincode-as-a-service deployment pattern is used and TLS is enabled for the chaincode server [1][2][3].
Exploitation
An attacker requires access to the chaincode server logs (INFO level or lower) where the TLS private key password is recorded in plaintext [2]. No authentication or special privileges on the chaincode server are needed if the logs are accessible. The attacker reads the password from the log entries. If the attacker also obtains the corresponding TLS private key file (e.g., through a separate attack, misconfiguration, or shared storage), they can use the password to decrypt or load the private key [2][3].
Impact
Successful exploitation allows the attacker to obtain the TLS private key password. Combined with access to the private key file, the attacker can impersonate the legitimate chaincode server, potentially intercept or manipulate communication between the chaincode and peers, or perform man-in-the-middle attacks [2][3]. The compromise directly undermines TLS authentication and confidentiality for the chaincode service.
Mitigation
A fixed version of the chaincode runtime is recommended but has not yet been released as of the advisory publication date (May 19, 2026) [2]. As an immediate workaround, restrict the chaincode server's logging level to WARNING or higher to prevent INFO level logs from being written [2][3]. Additionally, redact or remove any existing logs that contain the TLS private key password, and change the TLS private key password to invalidate any password already exposed [2][3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >= 2.3.1, <= 2.5.9
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.