Daniil Kirilyuk created QPID-8616:
-------------------------------------
Summary: [Broker-J] Privacy Violation: Heap Inspection in
ManagedUser
Key: QPID-8616
URL: https://issues.apache.org/jira/browse/QPID-8616
Project: Qpid
Issue Type: Improvement
Components: Broker-J
Affects Versions: qpid-java-broker-9.0.0
Reporter: Daniil Kirilyuk
Fix For: qpid-java-broker-9.0.1
Sensitive data (such as passwords) stored in memory can be leaked if memory is
not cleared after use. Often, Strings are used store sensitive data, however,
since String objects are immutable, removing the value of a String from memory
can only be done by the JVM garbage collector. The garbage collector is not
required to run unless the JVM is low on memory, so there is no guarantee as to
when garbage collection will take place. In the event of an application crash,
a memory dump of the application might reveal sensitive data.
Approach used in QPID-8583 should be applied to class ManagedUser.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
