commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Donald Kwakkel (JIRA)" <j...@apache.org>
Subject [jira] [Created] (NET-616) Heap Inspection: Passwords can be revealed from heap
Date Tue, 28 Feb 2017 13:45:45 GMT
Donald Kwakkel created NET-616:
----------------------------------

             Summary: Heap Inspection: Passwords can be revealed from heap
                 Key: NET-616
                 URL: https://issues.apache.org/jira/browse/NET-616
             Project: Commons Net
          Issue Type: Bug
          Components: IMAP
    Affects Versions: 3.6
            Reporter: Donald Kwakkel


password is used as string in src/main/java/org/apache/commons/net/imap/AuthenticatingIMAPClient.java.
This should be passed as bytes and be cleaned after usage.

Abstract:

The method newStringUtf8() in Base64.java stores sensitive data in a String object, making
it impossible to reliably purge the data from memory.


Explanation:

Sensitive data (such as passwords, social security numbers, credit card numbers etc) stored
in memory can be leaked if memory is not cleared after use. Often, Strings are used store
sensitive data, however, since String objects are immutable, removing the value of a String
from memory can only be done by the JVM garbage collector. The garbage collector is not required
to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection
will take place. In the event of an application crash, a memory dump of the application might
reveal sensitive data.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message