You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-user@axis.apache.org by pavan landge <pa...@gmail.com> on 2019/06/19 07:27:52 UTC
Fwd: Axis2: Security Bug Severity 1
---------- Forwarded message ---------
From: pavan landge <pa...@gmail.com>
Date: Thu 13 Jun, 2019, 3:30 PM
Subject: Axis2: Security Bug Severity 1
To: <ja...@axis.apache.org>
Cc: pavan landge <pa...@gmail.com>
Hi Team,
I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am
enabling the logs to check the parameters passed with soap envelope is
correct or not.
I can see in the soap envelop the* PASSWORD *is getting displayed.
<?xml version="1.0" encoding="UTF-8"?>
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:xsd="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<soapenv:Header>
<wsse:Security soapenv:mustUnderstand="1"
xmlns:wsse="
http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
">
<wsse:UsernameToken>
<wsse:Username>local:test123</wsse:Username>
<wsse:Password>.test123</wsse:Password>
</wsse:UsernameToken>
</wsse:Security>
<ns1:Headers soapenv:mustUnderstand="0"
xmlns:ns1=“urn:test123systems-com:Interconnect.Headers">
<ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID>
</ns1:Headers>
</soapenv:Header>
<soapenv:Body>
Using below entry in log4j to enable the axis2 logs:
log4j.logger.org.apache.axis.client.Call=trace
log4j.logger.org.apache.axis.client.AxisClient=trace
log4j.logger.org.apache.axis.transport.http.HTTPSender=trace
log4j.logger.org.apache.axis.MessageContext=trace
Since it is displaying the Password as un-masked, is it valid as per the
security law concern.
Using below configuration machine:
JDK 1.8
Mysql 5.7 server.
Windows 2016 server.
Best Regards,
Pavan Landge
pavanlandge003@gmail.com
Re: Fwd: Axis2: Security Bug Severity 1
Posted by Jayanga Dissanayake <js...@gmail.com>.
Hi Pavan,
On Wed, Jun 19, 2019 at 6:36 PM Alex Borschenko <aa...@gmail.com>
wrote:
> On 6/19/2019 10:27 AM, pavan landge wrote:
>
>
>
> ---------- Forwarded message ---------
> From: pavan landge <pa...@gmail.com>
> Date: Thu 13 Jun, 2019, 3:30 PM
> Subject: Axis2: Security Bug Severity 1
> To: <ja...@axis.apache.org>
> Cc: pavan landge <pa...@gmail.com>
>
>
> Hi Team,
>
> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am
> enabling the logs to check the parameters passed with soap envelope is
> correct or not.
> I can see in the soap envelop the* PASSWORD *is getting displayed.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1"
> xmlns:wsse="
> http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd
> ">
> <wsse:UsernameToken>
> <wsse:Username>local:test123</wsse:Username>
> <wsse:Password>.test123</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> <ns1:Headers soapenv:mustUnderstand="0"
> xmlns:ns1=“urn:test123systems-com:Interconnect.Headers">
>
> <ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID>
> </ns1:Headers>
> </soapenv:Header>
> <soapenv:Body>
>
>
>
> Using below entry in log4j to enable the axis2 logs:
>
> log4j.logger.org.apache.axis.client.Call=trace
> log4j.logger.org.apache.axis.client.AxisClient=trace
> log4j.logger.org.apache.axis.transport.http.HTTPSender=trace
> log4j.logger.org.apache.axis.MessageContext=trace
>
> Since it is displaying the Password as un-masked, is it valid as per the
> security law concern.
>
>
It's not just the password, having usernames in log files is sometimes
problematic.
Especially, if you consider GDPR[1], you have to remove any data that you
can identify an individual upon request.
If you have usernames all over your logs adhering to those kinds of
enforcement would not be an easy task.
Furthermore, when considering the passwords, having passwords printed in
logs would lead to many security issues. Hence, in my opinion, this has to
be fixed immediately.
[1] https://eugdpr.org/
Thanks,
Jayanga
>
> Using below configuration machine:
>
> JDK 1.8
> Mysql 5.7 server.
> Windows 2016 server.
>
>
> Best Regards,
> Pavan Landge
> pavanlandge003@gmail.com
>
> unmasked passwords in logs is very bad practice unless it is you test/dev
> env :)
>
>
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient> Без
> вирусов. www.avast.com
> <https://www.avast.com/sig-email?utm_medium=email&utm_source=link&utm_campaign=sig-email&utm_content=emailclient>
> <#m_-8738122600816858431_DAB4FAD8-2DD7-40BB-A1B8-4E2AA1F9FDF2>
>
Re: Fwd: Axis2: Security Bug Severity 1
Posted by Alex Borschenko <aa...@gmail.com>.
On 6/19/2019 10:27 AM, pavan landge wrote:
>
>
> ---------- Forwarded message ---------
> From: pavan landge <pavanlandge003@gmail.com
> <ma...@gmail.com>>
> Date: Thu 13 Jun, 2019, 3:30 PM
> Subject: Axis2: Security Bug Severity 1
> To: <java-user-subscribe@axis.apache.org
> <ma...@axis.apache.org>>
> Cc: pavan landge <pavanlandge003@gmail.com
> <ma...@gmail.com>>
>
>
> Hi Team,
>
> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I
> am enabling the logs to check the parameters passed with soap envelope
> is correct or not.
> I can see in the soap envelop the*PASSWORD *is getting displayed.
>
> <?xml version="1.0" encoding="UTF-8"?>
> <soapenv:Envelope
> xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
> xmlns:xsd="http://www.w3.org/2001/XMLSchema"
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
> <soapenv:Header>
> <wsse:Security soapenv:mustUnderstand="1"
> xmlns:wsse="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd">
> <wsse:UsernameToken>
> <wsse:Username>local:test123</wsse:Username>
> <wsse:Password>.test123</wsse:Password>
> </wsse:UsernameToken>
> </wsse:Security>
> <ns1:Headers soapenv:mustUnderstand="0"
> xmlns:ns1=“urn:test123systems-com:Interconnect.Headers">
> <ns1:Test123-Client-ID>234234bbdvb-dfg76-4t3f-1aer-01ebd7ferger</ns1:Test123-Client-ID>
> </ns1:Headers>
> </soapenv:Header>
> <soapenv:Body>
>
>
>
> Using below entry in log4j to enable the axis2 logs:
>
> log4j.logger.org.apache.axis.client.Call=trace
> log4j.logger.org.apache.axis.client.AxisClient=trace
> log4j.logger.org.apache.axis.transport.http.HTTPSender=trace
> log4j.logger.org.apache.axis.MessageContext=trace
>
> Since it is displaying the Password as un-masked, is it valid as per
> the security law concern.
>
> Using below configuration machine:
>
> JDK 1.8
> Mysql 5.7 server.
> Windows 2016 server.
>
>
> Best Regards,
> Pavan Landge
> pavanlandge003@gmail.com <ma...@gmail.com>
>
unmasked passwords in logs is very bad practice unless it is you
test/dev env :)
---
Это сообщение проверено на вирусы антивирусом Avast.
https://www.avast.com/antivirus
Re: Axis2: Security Bug Severity 1
Posted by "robertlazarski ." <ro...@gmail.com>.
What you describe is going a bit in opposite directions, enable trace
logging to show everything and then have a policy to not show it.
If that situation is unavoidable somehow, I would do it right the first
time and encrypt the soap body.
My next choice would be to solve this at the logging level by using a
custom logger that blacklists some sensitive data however the general
consensus is white listing is less error prone.
The axis2 code uses commons logging which means you can use just about
anything for a custom logger.
Hope that helps,
Robert
On Fri, Jun 21, 2019 at 2:06 AM pavan landge <pa...@gmail.com>
wrote:
> Hi Robert,
>
> But the question is, suppose some one did the log chaking with trace/debug
> level intentionally.then do we have any preventive measure to avoid it?
>
> Or it is the issue with Third party Axis2 jar which is displaying the
> password ?
>
> Best regards,
> Pavan landge
>
> On Wed 19 Jun, 2019, 8:49 PM robertlazarski ., <ro...@gmail.com>
> wrote:
>
>>
>>
>> On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pa...@gmail.com>
>> wrote:
>>
>>>
>>>
>>> ---------- Forwarded message ---------
>>> From: pavan landge <pa...@gmail.com>
>>> Date: Thu 13 Jun, 2019, 3:30 PM
>>> Subject: Axis2: Security Bug Severity 1
>>> To: <ja...@axis.apache.org>
>>> Cc: pavan landge <pa...@gmail.com>
>>>
>>>
>>> Hi Team,
>>>
>>> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I
>>> am enabling the logs to check the parameters passed with soap envelope is
>>> correct or not.
>>> I can see in the soap envelop the* PASSWORD *is getting displayed.
>>>
>>>
>> From an Axis2 security perspective, the WEB-INF/classes/log4j.properties
>> that is shipped defaults to INFO level, you won't see this unless you
>> purposely change the level and also are not encrypting your own sensitive
>> user data.
>>
>> We suggest not doing that. We can't prevent bad practices though should
>> you chose to do so.
>>
>> If you really need to send the passwords etc unencrypted, you can always
>> use RAMPART to encrypt the payload body and use a digital signature to
>> verify the integrity.
>>
>> Regards,
>> Robert
>>
>
Re: Axis2: Security Bug Severity 1
Posted by pavan landge <pa...@gmail.com>.
Hi Robert,
But the question is, suppose some one did the log chaking with trace/debug
level intentionally.then do we have any preventive measure to avoid it?
Or it is the issue with Third party Axis2 jar which is displaying the
password ?
Best regards,
Pavan landge
On Wed 19 Jun, 2019, 8:49 PM robertlazarski ., <ro...@gmail.com>
wrote:
>
>
> On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pa...@gmail.com>
> wrote:
>
>>
>>
>> ---------- Forwarded message ---------
>> From: pavan landge <pa...@gmail.com>
>> Date: Thu 13 Jun, 2019, 3:30 PM
>> Subject: Axis2: Security Bug Severity 1
>> To: <ja...@axis.apache.org>
>> Cc: pavan landge <pa...@gmail.com>
>>
>>
>> Hi Team,
>>
>> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am
>> enabling the logs to check the parameters passed with soap envelope is
>> correct or not.
>> I can see in the soap envelop the* PASSWORD *is getting displayed.
>>
>>
> From an Axis2 security perspective, the WEB-INF/classes/log4j.properties
> that is shipped defaults to INFO level, you won't see this unless you
> purposely change the level and also are not encrypting your own sensitive
> user data.
>
> We suggest not doing that. We can't prevent bad practices though should
> you chose to do so.
>
> If you really need to send the passwords etc unencrypted, you can always
> use RAMPART to encrypt the payload body and use a digital signature to
> verify the integrity.
>
> Regards,
> Robert
>
Re: Axis2: Security Bug Severity 1
Posted by "robertlazarski ." <ro...@gmail.com>.
On Tue, Jun 18, 2019 at 9:28 PM pavan landge <pa...@gmail.com>
wrote:
>
>
> ---------- Forwarded message ---------
> From: pavan landge <pa...@gmail.com>
> Date: Thu 13 Jun, 2019, 3:30 PM
> Subject: Axis2: Security Bug Severity 1
> To: <ja...@axis.apache.org>
> Cc: pavan landge <pa...@gmail.com>
>
>
> Hi Team,
>
> I am using Axis2 jar for SAOP (Request/Response). In log4j (Logger) I am
> enabling the logs to check the parameters passed with soap envelope is
> correct or not.
> I can see in the soap envelop the* PASSWORD *is getting displayed.
>
>
From an Axis2 security perspective, the WEB-INF/classes/log4j.properties
that is shipped defaults to INFO level, you won't see this unless you
purposely change the level and also are not encrypting your own sensitive
user data.
We suggest not doing that. We can't prevent bad practices though should you
chose to do so.
If you really need to send the passwords etc unencrypted, you can always
use RAMPART to encrypt the payload body and use a digital signature to
verify the integrity.
Regards,
Robert