You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/05/22 14:16:28 UTC

[Bug 61114] New: startup.VersionLoggerListener may leak sensitive information

https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

            Bug ID: 61114
           Summary: startup.VersionLoggerListener may leak sensitive
                    information
           Product: Tomcat 8
           Version: 8.0.28
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: juergen.hermann@1und1.de
  Target Milestone: ----

Related to https://bz.apache.org/bugzilla/show_bug.cgi?id=56401

When passwords or similar are part of the JVM command line, they end up in logs
that might be shipped to locations where you don't want that information to end
up in. At least well-known cases should be handled
(-Djavax.net.ssl.trustStorePassword=...).

Possible remedies:
* Provide an option to not log command line args (but the other information).
* Handle well-known cases via a blacklist of substrings / regex that prevent
logging ("javax.net.ssl.trustStorePassword", or "password" and "secret" in
general).

Or course, removing the listener also works, but at the price of removing *all*
of its logging.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

Michael Osipov <19...@gmx.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |1983-01-06@gmx.net

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

Konstantin Kolinko <kn...@gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

--- Comment #1 from Konstantin Kolinko <kn...@gmail.com> ---
1. The option already exists. Looking at the oldest version supported now
(7.0.x), it is named "logArgs", in all newer versions as well.

http://tomcat.apache.org/tomcat-7.0-doc/config/listeners.html


2. Passing secrets via command line arguments is well-known bad idea / SNAFU,
because they are visible to other local users that can run "ps" command or read
"/proc/<pid>/cmdline".

A better idea will be to put them into conf/catalina.properties

Also see the FAQ
https://wiki.apache.org/tomcat/FAQ/Password

Note that system properties are not logged by default configuration of
VersionLoggerListener (configured by the "logProps" attribute).


3. Command line arguments provide important information for troubleshooting.

JVM options, memory size configuration, logging configuration.


4. Logs are well known to contain sensitive information (e.g. they may contain
session ids) and shall be protected from world-wide access.


I do not see what can be improved here. Closing as WONTFIX.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61114] startup.VersionLoggerListener may leak sensitive information

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61114

--- Comment #2 from jhermann <ju...@1und1.de> ---
Sorry, should've thought of checking the docs before-hand. Thanks for the
hints, those helped.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org