zookeeper-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Han (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (ZOOKEEPER-2405) getTGT() in Login.java mishandles confidential information
Date Mon, 02 May 2016 23:26:12 GMT

     [ https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Michael Han updated ZOOKEEPER-2405:
-----------------------------------
    Attachment: ZOOKEEPER-2405.patch

Attach a patch for the fix. I think it is reasonable to log client and server principal for
debugging as these should not be considered as sensitive information (comparing to other fields
in TGT such as the ticket session key.), and log them might be helpful than completely remove
them from a debugging point of view.

Regarding the debug output from Kerberos itself when debugging is enabled (by setting debug
to true in both jaas.conf and in JVM), the output does not contain anything specific related
to TGT, except the client / server principals. 

[~phunt] PTAL

> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
>                 Key: ZOOKEEPER-2405
>                 URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
>             Project: ZooKeeper
>          Issue Type: Bug
>          Components: kerberos, security, server
>    Affects Versions: 3.4.8, 3.5.1, 3.6.0
>            Reporter: Patrick Hunt
>            Priority: Blocker
>             Fix For: 3.4.9, 3.5.2, 3.6.0
>
>         Attachments: ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best idea. This
was identified as a "critical" issue by Fortify.
> {noformat}
>         for(KerberosTicket ticket: tickets) {
>             KerberosPrincipal server = ticket.getServer();
>             if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm()))
{
>                 LOG.debug("Found tgt " + ticket + ".");
>                 return ticket;
>             }
>         }
> {noformat}



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message