Uploaded image for project: 'Karaf'
  1. Karaf
  2. KARAF-4200

Privacy Violation: Heap Inspection

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Not A Problem
    • 4.0.3
    • None
    • None
    • None

    Description

      HP Fortify and SciTools Understand were used to perform an application security scan on the karaf source code.

      The method login() in JDBCLoginModule.java stores sensitive data in a String object on line 95, making it impossible to reliably purge the data from memory.

      JDBCLoginModule.java, lines 88-96:

      88 user = ((NameCallback) callbacks[0]).getName();
89 
90 char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
91 if (tmpPassword == null) {
92     tmpPassword = new char[0];
93 }
94 
95 String password = new String(tmpPassword);
96 principals = new HashSet<>();

      Attachments

        Issue Links

          is related to

          Bug - A problem which impairs or prevents the functions of the product. KARAF-4199 Privacy Violation: Heap Inspection

          • Major - Major loss of function.
          • Open

          Activity

            People

              Unassigned Unassigned
              EdAInWestOC Eduardo Aguinaga
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: