user passwords can be reported unmasked as part of client logs

Timothy Bish (JIRA) Fri, 16 Mar 2018 10:50:18 -0700

     [ 
https://issues.apache.org/jira/browse/QPIDJMS-368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Timothy Bish resolved QPIDJMS-368.
----------------------------------
       Resolution: Fixed
         Assignee: Timothy Bish
    Fix Version/s: 0.31.0

> Connection URL keystore/truststore/user passwords can be reported unmasked as 
> part of client logs
> -------------------------------------------------------------------------------------------------
>
>                 Key: QPIDJMS-368
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-368
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>    Affects Versions: 0.30.0
>            Reporter: Alex Rudyy
>            Assignee: Timothy Bish
>            Priority: Major
>             Fix For: 0.31.0
>
>
> Connection URL keystore/truststore/user passwords can be reported unmasked as 
> part of client logs in the following cases:
> # when no failover is configured, a failed attempt to establish connectivity 
> results in issuing the ERROR log as below
> {noformat}
> ERROR [main] o.a.q.j.JmsConnection Failed to connect to remote at: 
> amqps://localhost:5672?transport.keyStoreLocation=%2Fpath%2Fkeystore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=%2Fpath%2Fto%2Ftrsustore.jks&transport.trustStorePassword=password
> {noformat}
> # when failover is configured, a connectivity attempt  can end-up in logs 
> like below
> {noformat}
> DEBUG [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider 
> Connection attempt:[1] to: 
> amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password
>  in-progress
> INFO  [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider 
> Connection attempt:[1] to: 
> amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password
>  failed
> {noformat}
> An attacker can potentially retrieve the credentials from the logs. It would 
> be desirable to mask credential details when logging connection URL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org
For additional commands, e-mail: dev-h...@qpid.apache.org

[jira] [Resolved] (QPIDJMS-368) Connection URL keystore/truststore/user passwords can be reported unmasked as part of client logs

Reply via email to