[ https://issues.apache.org/jira/browse/QPIDJMS-368?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Timothy Bish resolved QPIDJMS-368. ---------------------------------- Resolution: Fixed Assignee: Timothy Bish Fix Version/s: 0.31.0 > Connection URL keystore/truststore/user passwords can be reported unmasked as > part of client logs > ------------------------------------------------------------------------------------------------- > > Key: QPIDJMS-368 > URL: https://issues.apache.org/jira/browse/QPIDJMS-368 > Project: Qpid JMS > Issue Type: Bug > Components: qpid-jms-client > Affects Versions: 0.30.0 > Reporter: Alex Rudyy > Assignee: Timothy Bish > Priority: Major > Fix For: 0.31.0 > > > Connection URL keystore/truststore/user passwords can be reported unmasked as > part of client logs in the following cases: > # when no failover is configured, a failed attempt to establish connectivity > results in issuing the ERROR log as below > {noformat} > ERROR [main] o.a.q.j.JmsConnection Failed to connect to remote at: > amqps://localhost:5672?transport.keyStoreLocation=%2Fpath%2Fkeystore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=%2Fpath%2Fto%2Ftrsustore.jks&transport.trustStorePassword=password > {noformat} > # when failover is configured, a connectivity attempt can end-up in logs > like below > {noformat} > DEBUG [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider > Connection attempt:[1] to: > amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password > in-progress > INFO [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider > Connection attempt:[1] to: > amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password > failed > {noformat} > An attacker can potentially retrieve the credentials from the logs. It would > be desirable to mask credential details when logging connection URL. -- This message was sent by Atlassian JIRA (v7.6.3#76005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org