You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2018/03/16 17:46:00 UTC

[jira] [Commented] (QPIDJMS-368) Connection URL keystore/truststore/user passwords can be reported unmasked as part of client logs

    [ https://issues.apache.org/jira/browse/QPIDJMS-368?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16402250#comment-16402250 ] 

ASF subversion and git services commented on QPIDJMS-368:
---------------------------------------------------------

Commit 4b022971b7461ebaefe12161358e03c0af9b590a in qpid-jms's branch refs/heads/master from [~tabish121]
[ https://git-wip-us.apache.org/repos/asf?p=qpid-jms.git;h=4b02297 ]

QPIDJMS-368 Log only remote host information

Update the logging of remote to exclude anything other than the location
being connected to.

> Connection URL keystore/truststore/user passwords can be reported unmasked as part of client logs
> -------------------------------------------------------------------------------------------------
>
>                 Key: QPIDJMS-368
>                 URL: https://issues.apache.org/jira/browse/QPIDJMS-368
>             Project: Qpid JMS
>          Issue Type: Bug
>          Components: qpid-jms-client
>    Affects Versions: 0.30.0
>            Reporter: Alex Rudyy
>            Priority: Major
>
> Connection URL keystore/truststore/user passwords can be reported unmasked as part of client logs in the following cases:
> # when no failover is configured, a failed attempt to establish connectivity results in issuing the ERROR log as below
> {noformat}
> ERROR [main] o.a.q.j.JmsConnection Failed to connect to remote at: amqps://localhost:5672?transport.keyStoreLocation=%2Fpath%2Fkeystore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=%2Fpath%2Fto%2Ftrsustore.jks&transport.trustStorePassword=password
> {noformat}
> # when failover is configured, a connectivity attempt  can end-up in logs like below
> {noformat}
> DEBUG [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider Connection attempt:[1] to: amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password in-progress
> INFO  [FailoverProvider: connect thread] o.a.q.j.p.f.FailoverProvider Connection attempt:[1] to: amqps://localhost:5672?transport.keyStoreLocation=/path/to/truststore.jks&transport.keyStorePassword=password&transport.trustStoreLocation=/path/to/keystore.jks&transport.trustStorePassword=password&jms.username=admin&jms.password=password failed
> {noformat}
> An attacker can potentially retrieve the credentials from the logs. It would be desirable to mask credential details when logging connection URL.



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org