You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@qpid.apache.org by "Daniil Kirilyuk (Jira)" <ji...@apache.org> on 2022/04/13 09:15:00 UTC

[jira] [Created] (QPID-8583) [Broker-J] Privacy Violation: Heap Inspection

Daniil Kirilyuk created QPID-8583:
-------------------------------------

             Summary: [Broker-J] Privacy Violation: Heap Inspection
                 Key: QPID-8583
                 URL: https://issues.apache.org/jira/browse/QPID-8583
             Project: Qpid
          Issue Type: Improvement
          Components: Broker-J
    Affects Versions: qpid-java-broker-8.0.6
            Reporter: Daniil Kirilyuk


Sensitive data (such as passwords) stored in memory can be leaked if memory is not cleared after use. Often, Strings are used store sensitive data, however, since String objects are immutable, removing the value of a String from memory can only be done by the JVM garbage collector. The garbage collector is not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data.

There are several classes susceptible to this issue (e.g. ConfiguredObjectMethodAttribute, ConfiguredDerivedInjectedAttribute, ConfiguredSettableInjectedAttribute, CramMd5Base64HexNegotiator, CramMd5Base64HashedNegotiator).



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@qpid.apache.org
For additional commands, e-mail: dev-help@qpid.apache.org