You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@karaf.apache.org by "Jean-Baptiste Onofré (JIRA)" <ji...@apache.org> on 2017/01/28 05:08:24 UTC
[jira] [Resolved] (KARAF-4200) Privacy Violation: Heap Inspection
[ https://issues.apache.org/jira/browse/KARAF-4200?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jean-Baptiste Onofré resolved KARAF-4200.
-----------------------------------------
Resolution: Not A Problem
Fix Version/s: (was: 4.0.9)
(was: 4.1.0)
The login module actually stores the password for the backend. We can imagine a workaround but it requires some deeper refactoring.
> Privacy Violation: Heap Inspection
> ----------------------------------
>
> Key: KARAF-4200
> URL: https://issues.apache.org/jira/browse/KARAF-4200
> Project: Karaf
> Issue Type: Bug
> Affects Versions: 4.0.3
> Reporter: Eduardo Aguinaga
>
> HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.
> The method login() in JDBCLoginModule.java stores sensitive data in a String object on line 95, making it impossible to reliably purge the data from memory.
> JDBCLoginModule.java, lines 88-96:
> {code}
> 88 user = ((NameCallback) callbacks[0]).getName();
> 89
> 90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
> 91 if (tmpPassword == null) {
> 92 tmpPassword = new char[0];
> 93 }
> 94
> 95 String password = new String(tmpPassword);
> 96 principals = new HashSet<>();
> {code}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)