Daniil Kirilyuk created QPID-8583:
-------------------------------------
Summary: [Broker-J] Privacy Violation: Heap Inspection
Key: QPID-8583
URL: https://issues.apache.org/jira/browse/QPID-8583
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Affects Versions: qpid-java-broker-8.0.6
Reporter: Daniil Kirilyuk
Sensitive data (such as passwords) stored in memory can be leaked if memory is
not cleared after use. Often, Strings are used store sensitive data, however,
since String objects are immutable, removing the value of a String from memory
can only be done by the JVM garbage collector. The garbage collector is not
required to run unless the JVM is low on memory, so there is no guarantee as to
when garbage collection will take place. In the event of an application crash,
a memory dump of the application might reveal sensitive data.
There are several classes susceptible to this issue (e.g.
ConfiguredObjectMethodAttribute, ConfiguredDerivedInjectedAttribute,
ConfiguredSettableInjectedAttribute, CramMd5Base64HexNegotiator,
CramMd5Base64HashedNegotiator).
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
