Hello, In our application, we are using log4j 1.2.17. We use Struts which internally uses beanutils for Login bean. If log level is set to DEBUG for “org.apache.commons.beanutils” category in log4j.xml, it prints password in clear text.
In below example, user’s username is “admin” and password is “password”. DEBUG [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string 'admin' to class 'java.lang.String' DEBUG [admin-http-pool1][] org.apache.commons.beanutils.ConvertUtils -::25E5ED4A07F594C9CBDC2C7915D657D2:::- Convert string ‘password' to class 'java.lang.String' The security team at our company reported this as a security vulnerability and want us to fix immediately. Any ideas on how to suppress logging for particular fields ? Or Is there any other alternative ? Please share your input. Thanks, Arjun.
