[jira] [Updated] (GEODE-9354) Refactor ArgumentRedactor and add tests for ssl-*store-password props

Mon, 03 Jan 2022 14:00:06 -0800 


     [ 
https://issues.apache.org/jira/browse/GEODE-9354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Kirk Lund updated GEODE-9354:
-----------------------------
    Description: 
Refactor ArgumentRedactor to clean it up and make sure it's efficient.

Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}

Related to 
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797] 
in which logging is vulnerable to a log file redaction of sensitive information 
flaw when using values that begin with characters other than letters or numbers 
for passwords and security properties with the prefix "sysprop-", 
"javax.net.ssl", or "security-".

Fixed in https://github.com/apache/geode/pull/6641.

  was:
Refactor ArgumentRedactor to clean it up and make sure it's efficient.

Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}

Related to 
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797] 
in which logging is vulnerable to a log file redaction of sensitive information 
flaw when using values that begin with characters other than letters or numbers 
for passwords and security properties with the prefix "sysprop-", 
"javax.net.ssl", or "security-".


> Refactor ArgumentRedactor and add tests for ssl-*store-password props
> ---------------------------------------------------------------------
>
>                 Key: GEODE-9354
>                 URL: https://issues.apache.org/jira/browse/GEODE-9354
>             Project: Geode
>          Issue Type: Bug
>          Components: logging
>    Affects Versions: 1.12.4, 1.13.4
>            Reporter: Kirk Lund
>            Assignee: Kirk Lund
>            Priority: Major
>              Labels: GeodeOperationAPI, pull-request-available
>             Fix For: 1.12.5, 1.13.5, 1.14.0, 1.15.0
>
>
> Refactor ArgumentRedactor to clean it up and make sure it's efficient.
> Add test coverage for log statements containing:
> {noformat}
> -Dgemfire.ssl-truststore-password=<PASSWORD>
> -Dgemfire.ssl-keystore-password=<PASSWORD>
> {noformat}
> Related to 
> [CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
>  in which logging is vulnerable to a log file redaction of sensitive 
> information flaw when using values that begin with characters other than 
> letters or numbers for passwords and security properties with the prefix 
> "sysprop-", "javax.net.ssl", or "security-".
> Fixed in https://github.com/apache/geode/pull/6641.



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Reply via email to