[jira] [Commented] (LOG4J2-3056) NameUtil.md5(String) could leak plaintext credentials

Sat, 27 Mar 2021 11:22:15 -0700 


    [ 
https://issues.apache.org/jira/browse/LOG4J2-3056?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17310057#comment-17310057
 ] 

Volkan Yazici commented on LOG4J2-3056:
---------------------------------------

[~Marcono1234], I did not dive into the source code yet, but your reasoning 
makes sense. I will pick it up as soon as possible.

> NameUtil.md5(String) could leak plaintext credentials
> -----------------------------------------------------
>
>                 Key: LOG4J2-3056
>                 URL: https://issues.apache.org/jira/browse/LOG4J2-3056
>             Project: Log4j 2
>          Issue Type: Bug
>            Reporter: Marcono1234
>            Assignee: Volkan Yazici
>            Priority: Major
>             Fix For: 2.15.0
>
>
> {{org.apache.logging.log4j.util.NameUtil.md5(String)}} could leak the 
> credentials provided to it in case an exception is thrown:
> {code}
> public static String md5(final String string) {
>     try {
>         ...
>     } catch (final Exception ex) {
>         return string; // leaks plaintext credentials
>     }
> }
> {code}
> This is however very likely not a security issue currently because it appears 
> the only exception which could occur is {{NoSuchAlgorithmException}}.
> Nonetheless I would recommend the following changes:
> - *Never return the plaintext {{String}}*
> - Wrap the {{getInstance("MD5")}} call with a {{try-catch}} catching the 
> {{NoSuchAlgorithmException}}, wrapping it in an {{AssertionError}} and throw 
> that, since the [documentation for 
> {{MessageDigest}}|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html]
>  guarantees that every JRE must support MD5:
> {code}
> MessageDigest md5;
> try {
>     md5 = MessageDigest.getInstance("MD5");
> } catch (NoSuchAlgorithmException e) {
>     // Impossible; MessageDigest documentation guarantees that MD5 is 
> supported
>     throw new AssertionError("MD5 is not supported", e);
> }
> {code}
> - Don't use {{string.getBytes()}}, that uses the default charset of the 
> platform. I don't know what the 'correct' charset here would be (maybe 
> UTF-8?), but it is very likely not the default charset.
> - Optional: Omit the call to {{MessageDigest.update}} and instead only call 
> {{digest(byte[])}}.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to