commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sebb (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (NET-616) Heap Inspection: Passwords can be revealed from heap
Date Tue, 28 Feb 2017 21:39:45 GMT

    [ https://issues.apache.org/jira/browse/NET-616?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15888909#comment-15888909
] 

Sebb commented on NET-616:
--------------------------

Fixing Base64#encodeBase64StringUnChunked would not solve the problem, as the password is
passed in using a String.

AFAICT large parts of the NET code would have to be rewritten to allow bytes (or chars?) to
be used instead of a String

> Heap Inspection: Passwords can be revealed from heap
> ----------------------------------------------------
>
>                 Key: NET-616
>                 URL: https://issues.apache.org/jira/browse/NET-616
>             Project: Commons Net
>          Issue Type: Bug
>          Components: IMAP
>    Affects Versions: 3.6
>            Reporter: Donald Kwakkel
>
> password is used as string in src/main/java/org/apache/commons/net/imap/AuthenticatingIMAPClient.java.
This should be passed as bytes and be cleaned after usage.
> Abstract:
> The method newStringUtf8() in Base64.java stores sensitive data in a String object, making
it impossible to reliably purge the data from memory.
> Explanation:
> Sensitive data (such as passwords, social security numbers, credit card numbers etc)
stored in memory can be leaked if memory is not cleared after use. Often, Strings are used
store sensitive data, however, since String objects are immutable, removing the value of a
String from memory can only be done by the JVM garbage collector. The garbage collector is
not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage
collection will take place. In the event of an application crash, a memory dump of the application
might reveal sensitive data.



--
This message was sent by Atlassian JIRA
(v6.3.15#6346)

Mime
View raw message