Eduardo Aguinaga created KARAF-4200:
---------------------------------------
Summary: Privacy Violation: Heap Inspection
Key: KARAF-4200
URL: https://issues.apache.org/jira/browse/KARAF-4200
Project: Karaf
Issue Type: Bug
Affects Versions: 4.0.3
Reporter: Eduardo Aguinaga
HP Fortify and SciTools Understand were used to perform an application security
scan on the karaf source code.
The method login() in JDBCLoginModule.java stores sensitive data in a String
object on line 95, making it impossible to reliably purge the data from memory.
JDBCLoginModule.java, lines 88-96:
88 user = ((NameCallback) callbacks[0]).getName();
89
90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
91 if (tmpPassword == null) {
92 tmpPassword = new char[0];
93 }
94
95 String password = new String(tmpPassword);
96 principals = new HashSet<>();
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
