[KARAF-4199] Privacy Violation: Heap Inspection - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 4.0.3
Fix Version/s: None
Component/s: None
Labels:
None

Description

HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.

The method interactive() in Main.java stores sensitive data in a String object on line 127, making it impossible to reliably purge the data from memory.

Main.java, lines 120-137:

120 public String[] interactive(String destination, String name, String instruction, String[] prompt, boolean[] echo) {
121     String[] answers = new String[prompt.length];
122     try {
123         for (int i = 0; i < prompt.length; i++) {
124             if (echo[i]) {
125                 answers[i] = console.readLine(prompt[i] + " ");
126             } else {
127                 answers[i] = new String(console.readPassword(prompt[i] + " "));
128             }
129             if (answers[i] == null) {
130                 return null;
131             }
132         }
133         return answers;
134     } catch (IOError e) {
135         return null;
136     }
137 }

Attachments

Issue Links

relates to

KARAF-4200 Privacy Violation: Heap Inspection

Resolved

SSHD-709 All passwords should be stored as char[] instead of String and wiped after use

Reopened

Activity

People

Assignee:: Unassigned

Reporter:: Eduardo Aguinaga

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 15/Dec/15 15:03

Updated:: 10/Feb/17 09:53