You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ws.apache.org by "Jens Kordowski (JIRA)" <ji...@apache.org> on 2015/07/23 12:00:05 UTC

[jira] [Commented] (WSS-548) logging secretKey

    [ https://issues.apache.org/jira/browse/WSS-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638591#comment-14638591 ] 

Jens Kordowski commented on WSS-548:
------------------------------------

Some additional information I'd like to share:
I found this issue via a code scan (HP Fortify), hence this might show up in other companies as well.

And to summarize an attack scenario: CXF logs the payload / message on debug level, WSS4J logs the secretKey. With both information available in the log, this is an easy game for an attacker (if he gets access to the logs of course).

I think the developer benefit (easier debugging) is not worth the risk.

Best regards
Jens

> logging secretKey
> -----------------
>
>                 Key: WSS-548
>                 URL: https://issues.apache.org/jira/browse/WSS-548
>             Project: WSS4J
>          Issue Type: Bug
>          Components: WSS4J Core
>            Reporter: Jens Kordowski
>            Assignee: Colm O hEigeartaigh
>            Priority: Critical
>             Fix For: 2.0.3
>
>
> Hi,
> org.apache.wss4j.dom.message.WSSecEncryptedKey.prepareInternal() logs the secretKey to debug.
> Is that intended? I see a risk in doing so.
> Best regards
> Jens



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org