Alex Rudyy created QPIDJMS-368:
----------------------------------
Summary: Connection URL keystore/truststore/user passwords can be
reported unmasked as part of client logs
Key: QPIDJMS-368
URL: https://issues.apache.org/jira/browse/QPIDJMS-368
Project: Qpid JMS
Issue Type: Bug
Components: qpid-jms-client
Affects Versions: 0.30.0
Reporter: Alex Rudyy
Connection URL keystore/truststore/user passwords can be reported unmasked as
part of client logs in the following cases:
# when no failover is configured, a failed attempt to establish connectivity
results in issuing the ERROR log as below
{noformat}
ERROR [main] o.a.q.j.JmsConnection Failed to connect to remote at:
amqps://localhost:5672?transport.keyStoreLocation=%2Fpath%2Fkeystore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=%2Fpath%2Fto%2Ftrsustore.jks&transport.trustStorePassword=password
{noformat}
# when failover is configured, a connectivity attempt can end-up in logs like
below
{noformat}
DEBUG [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider
Connection attempt:[1] to:
amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password
in-progress
INFO [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider
Connection attempt:[1] to:
amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password
failed
{noformat}
An attacker can potentially retrieve the credentials from the logs. It would be
desirable to mask credential details when logging connection URL.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
