[prev in list] [next in list] [prev in thread] [next in thread]
List: xmlrpc-user
Subject: [jira] [Commented] (WSS-548) logging secretKey
From: "Jens Kordowski (JIRA)" <jira () apache ! org>
Date: 2015-07-23 10:00:05
Message-ID: JIRA.12846544.1437490645000.269913.1437645605983 () Atlassian ! JIRA
[Download RAW message or body]
[ https://issues.apache.org/jira/browse/WSS-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638591#comment-14638591 \
]
Jens Kordowski commented on WSS-548:
------------------------------------
Some additional information I'd like to share:
I found this issue via a code scan (HP Fortify), hence this might show up in other \
companies as well.
And to summarize an attack scenario: CXF logs the payload / message on debug level, \
WSS4J logs the secretKey. With both information available in the log, this is an easy \
game for an attacker (if he gets access to the logs of course).
I think the developer benefit (easier debugging) is not worth the risk.
Best regards
Jens
> logging secretKey
> -----------------
>
> Key: WSS-548
> URL: https://issues.apache.org/jira/browse/WSS-548
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Jens Kordowski
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: 2.0.3
>
>
> Hi,
> org.apache.wss4j.dom.message.WSSecEncryptedKey.prepareInternal() logs the secretKey \
> to debug. Is that intended? I see a risk in doing so.
> Best regards
> Jens
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ws.apache.org
For additional commands, e-mail: dev-help@ws.apache.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic