karaf-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jean-Baptiste Onofré (JIRA) <j...@apache.org>
Subject [jira] [Updated] (KARAF-4200) Privacy Violation: Heap Inspection
Date Tue, 15 Dec 2015 15:14:46 GMT

     [ https://issues.apache.org/jira/browse/KARAF-4200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Jean-Baptiste Onofré updated KARAF-4200:
----------------------------------------
    Description: 
HP Fortify and SciTools Understand were used to perform an application security scan on the
karaf source code.

The method login() in JDBCLoginModule.java stores sensitive data in a String object on line
95, making it impossible to reliably purge the data from memory.

JDBCLoginModule.java, lines 88-96:
{code}
88 user = ((NameCallback) callbacks[0]).getName();
89 
90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
91 if (tmpPassword == null) {
92     tmpPassword = new char[0];
93 }
94 
95 String password = new String(tmpPassword);
96 principals = new HashSet<>();
{code}

  was:
HP Fortify and SciTools Understand were used to perform an application security scan on the
karaf source code.

The method login() in JDBCLoginModule.java stores sensitive data in a String object on line
95, making it impossible to reliably purge the data from memory.

JDBCLoginModule.java, lines 88-96:
88 user = ((NameCallback) callbacks[0]).getName();
89 
90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
91 if (tmpPassword == null) {
92     tmpPassword = new char[0];
93 }
94 
95 String password = new String(tmpPassword);
96 principals = new HashSet<>();


> Privacy Violation: Heap Inspection
> ----------------------------------
>
>                 Key: KARAF-4200
>                 URL: https://issues.apache.org/jira/browse/KARAF-4200
>             Project: Karaf
>          Issue Type: Bug
>    Affects Versions: 4.0.3
>            Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application security scan
on the karaf source code.
> The method login() in JDBCLoginModule.java stores sensitive data in a String object on
line 95, making it impossible to reliably purge the data from memory.
> JDBCLoginModule.java, lines 88-96:
> {code}
> 88 user = ((NameCallback) callbacks[0]).getName();
> 89 
> 90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
> 91 if (tmpPassword == null) {
> 92     tmpPassword = new char[0];
> 93 }
> 94 
> 95 String password = new String(tmpPassword);
> 96 principals = new HashSet<>();
> {code}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message