[jira] [Commented] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information

Sat, 26 Mar 2016 12:10:43 -0700 

    [ 
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15213158#comment-15213158
 ] 

Patrick Hunt commented on ZOOKEEPER-2405:
-----------------------------------------

Fortify identified this as a critical issue (it identified 5 in our code base 
but I evaluated this one as the only possibly serious issue). 

My sense is that this is not particularly serious, given it's only output in 
debug mode, however I still think we should address it. We can either cut down 
the details on what's output (the toString of KerberosTicket is pretty 
verbose), or we can just indicate whether it's null or not, or we could keep 
what we have and introduce another "kerberos verbose logging/debug" type 
configuration parameter in order to get this detail. 

We should also investigate what kerberos itself it outputting when you set 
"debug=true" in jaas.conf and setting of "-Dsun.security.krb5.debug=true" on 
the JVM. Perhaps that's sufficient information and we don't gain much from this 
debug output? In which case perhaps logging an identifier (which can be tracked 
back to the kerberos debug information) might be sufficient instead.

> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-2405
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, security, server
>    Affects Versions: 3.4.8, 3.5.1, 3.6.0
>            Reporter: Patrick Hunt
>            Priority: Blocker
>             Fix For: 3.4.9, 3.5.2, 3.6.0
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best 
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
>         for(KerberosTicket ticket: tickets) {
>             KerberosPrincipal server = ticket.getServer();
>             if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + 
> server.getRealm())) {
>                 LOG.debug("Found tgt " + ticket + ".");
>                 return ticket;
>             }
>         }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to