[jira] [Updated] (KAFKA-7915) SASL authentication failures may return sensitive data to client

Mon, 11 Feb 2019 08:16:34 -0800 


     [ 
https://issues.apache.org/jira/browse/KAFKA-7915?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Rajini Sivaram updated KAFKA-7915:
----------------------------------
    Description: 
There was a regression from the commit 
https://github.com/apache/kafka/commit/e8a3bc74254a8e4e4aaca41395177fa4a98b480c#diff-e4c812749f57c982e2570492657ea787
 which added the error message from SaslException thrown by the server during 
authentication into the error response returned to clients. Since this 
exception may contain sensitive data (e.g. indicating that a user exists but 
password match failed), we should not return the error to clients. We have a 
separate exception (`AuthenticationException`) for errors that are safe to 
propagate to clients.

The regression was not in any released version, the related commit will only be 
in 2.2.0, so we just need to fix this before 2.2.0.

  was:There was a regression from the commit 
https://github.com/apache/kafka/commit/e8a3bc74254a8e4e4aaca41395177fa4a98b480c#diff-e4c812749f57c982e2570492657ea787
 which added the error message from SaslException thrown by the server during 
authentication into the error response returned to clients. Since this 
exception may contain sensitive data (e.g. indicating that a user exists but 
password match failed), we should not return the error to clients. We have a 
separate exception (`AuthenticationException`) for errors that are safe to 
propagate to clients.


> SASL authentication failures may return sensitive data to client
> ----------------------------------------------------------------
>
>                 Key: KAFKA-7915
>                 URL: https://issues.apache.org/jira/browse/KAFKA-7915
>             Project: Kafka
>          Issue Type: Bug
>          Components: security
>            Reporter: Rajini Sivaram
>            Assignee: Rajini Sivaram
>            Priority: Critical
>             Fix For: 2.2.0
>
>
> There was a regression from the commit 
> https://github.com/apache/kafka/commit/e8a3bc74254a8e4e4aaca41395177fa4a98b480c#diff-e4c812749f57c982e2570492657ea787
>  which added the error message from SaslException thrown by the server during 
> authentication into the error response returned to clients. Since this 
> exception may contain sensitive data (e.g. indicating that a user exists but 
> password match failed), we should not return the error to clients. We have a 
> separate exception (`AuthenticationException`) for errors that are safe to 
> propagate to clients.
> The regression was not in any released version, the related commit will only 
> be in 2.2.0, so we just need to fix this before 2.2.0.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to