You are viewing a plain text version of this content. The canonical link for it is here.
Posted to notifications@logging.apache.org by "Marcono1234 (Jira)" <ji...@apache.org> on 2021/03/27 02:01:00 UTC
[jira] [Created] (LOG4J2-3056) NameUtil.md5(String) could leak
plaintext credentials
Marcono1234 created LOG4J2-3056:
-----------------------------------
Summary: NameUtil.md5(String) could leak plaintext credentials
Key: LOG4J2-3056
URL: https://issues.apache.org/jira/browse/LOG4J2-3056
Project: Log4j 2
Issue Type: Bug
Reporter: Marcono1234
{{org.apache.logging.log4j.util.NameUtil.md5(String)}} could leak the credentials provided to it in case an exception is thrown:
{code}
public static String md5(final String string) {
try {
...
} catch (final Exception ex) {
return string; // leaks plaintext credentials
}
}
{code}
This is however very likely not a security issue currently because it appears the only exception which could occur is {{NoSuchAlgorithmException}}.
Nonetheless I would recommend the following changes:
- *Never return the plaintext {{String}}*
- Wrap the {{getInstance("MD5")}} call with a {{try-catch}} catching the {{NoSuchAlgorithmException}}, wrapping it in an {{AssertionError}} and throw that, since the [documentation for {{MessageDigest}}|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html] guarantees that every JRE must support MD5:
{code}
MessageDigest md5;
try {
md5 = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
// Impossible; MessageDigest documentation guarantees that MD5 is supported
throw new AssertionError("MD5 is not supported", e);
}
{code}
- Don't use {{string.getBytes()}}, that uses the default charset of the platform. I don't know what the 'correct' charset here would be (maybe UTF-8?), but it is very likely not the default charset.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)