[prev in list] [next in list] [prev in thread] [next in thread] 

List:       woden-dev
Subject:    [jira] [Commented] (WSS-548) logging secretKey
From:       "Jens Kordowski (JIRA)" <jira () apache ! org>
Date:       2015-07-23 10:00:05
Message-ID: JIRA.12846544.1437490645000.269913.1437645605983 () Atlassian ! JIRA
[Download RAW message or body]


    [ https://issues.apache.org/jira/browse/WSS-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638591#comment-14638591 \
] 

Jens Kordowski commented on WSS-548:
------------------------------------

Some additional information I'd like to share:
I found this issue via a code scan (HP Fortify), hence this might show up in other \
companies as well.

And to summarize an attack scenario: CXF logs the payload / message on debug level, \
WSS4J logs the secretKey. With both information available in the log, this is an easy \
game for an attacker (if he gets access to the logs of course).

I think the developer benefit (easier debugging) is not worth the risk.

Best regards
Jens

> logging secretKey
> -----------------
> 
> Key: WSS-548
> URL: https://issues.apache.org/jira/browse/WSS-548
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Jens Kordowski
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: 2.0.3
> 
> 
> Hi,
> org.apache.wss4j.dom.message.WSSecEncryptedKey.prepareInternal() logs the secretKey \
> to debug. Is that intended? I see a risk in doing so.
> Best regards
> Jens



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]