You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@commons.apache.org by "Donald Kwakkel (JIRA)" <ji...@apache.org> on 2017/02/28 13:49:45 UTC

[jira] [Created] (NET-617) Heap Inspection: Passwords can be revealed from heap for ExtendedPop3Client

Donald Kwakkel created NET-617:
----------------------------------

             Summary: Heap Inspection: Passwords can be revealed from heap for ExtendedPop3Client
                 Key: NET-617
                 URL: https://issues.apache.org/jira/browse/NET-617
             Project: Commons Net
          Issue Type: Bug
          Components: POP3
    Affects Versions: 3.6
            Reporter: Donald Kwakkel


In src/main/java/org/apache/commons/net/pop3/ExtendedPOP3Client.java password is a String. This should be bytes and be cleared after usage.
 
Similair issue as https://issues.apache.org/jira/browse/NET-616

Mitigation: proper protect memory of os process and heap dumps.

Abstract:

The method auth() in ExtendedPOP3Client.java stores sensitive data in a String object, making it impossible to reliably purge the data from memory.


Explanation:

Sensitive data (such as passwords, social security numbers, credit card numbers etc) stored in memory can be leaked if memory is not cleared after use. Often, Strings are used store sensitive data, however, since String objects are immutable, removing the value of a String from memory can only be done by the JVM garbage collector. The garbage collector is not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data.




--
This message was sent by Atlassian JIRA
(v6.3.15#6346)