You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@syncope.apache.org by "Francesco Chicchiriccò (Jira)" <ji...@apache.org> on 2019/11/05 07:12:00 UTC

[jira] [Commented] (SYNCOPE-1507) ACT_GE_BYTEARRAY table contains sensitive information such as password plaintext

    [ https://issues.apache.org/jira/browse/SYNCOPE-1507?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16967302#comment-16967302 ] 

Francesco Chicchiriccò commented on SYNCOPE-1507:
-------------------------------------------------

Any reason why you are still using an old version as 2.1.1? [Syncope 2.1.2|https://cwiki.apache.org/confluence/display/SYNCOPE/Fusion#Fusion-2.1.2(November2nd,2018)] brought a deep refactoring of Flowable implementation, which also involves solution for problems as the one reported in this issue.

I would suggest to start a brand new project based on 2.1.5 or, if not possible, to upgrade to 2.1.5 by following the upgrade process:
 * [https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.1+to+2.1.2]
 * [https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.2+to+2.1.3]
 * [https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.3+to+2.1.4]
 * [https://cwiki.apache.org/confluence/display/SYNCOPE/Upgrade+from+2.1.4+to+2.1.5]

Also, double-check whether you need the [Flowable User Workflow Adapter|http://syncope.apache.org/docs/2.1/reference-guide.html#flowable-user-workflow-adapter] or if the default one fits your use cases anyway; in the latter case, in fact, you won't have any Flowable-related table in the database, including {{ACT_GE_BYTEARRAY}}.

> ACT_GE_BYTEARRAY table contains sensitive information such as password plaintext
> --------------------------------------------------------------------------------
>
>                 Key: SYNCOPE-1507
>                 URL: https://issues.apache.org/jira/browse/SYNCOPE-1507
>             Project: Syncope
>          Issue Type: Bug
>    Affects Versions: 2.1.1
>            Reporter: zhongdongyue
>            Priority: Major
>         Attachments: image-2019-11-04-17-22-34-128.png, image-2019-11-04-17-54-31-621.png
>
>
> After the user is created, the ACT_GE_BYTEARRAY table still contains user-created information containing sensitive information such as password plaintext, which lacks security.
>  # Query user-related serialized data
>  # !image-2019-11-04-17-22-34-128.png|width=590,height=150!
>  # Export to hexadecimal data
>  # Convert hexadecimal to a string (the user name and password are circled in the figure)
>  # !image-2019-11-04-17-54-31-621.png|width=526,height=148!



--
This message was sent by Atlassian Jira
(v8.3.4#803005)