Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
org.apache.logging.log4j.util.NameUtil.md5(String) could leak the credentials provided to it in case an exception is thrown:
public static String md5(final String string) { try { ... } catch (final Exception ex) { return string; // leaks plaintext credentials } }
This is however very likely not a security issue currently because it appears the only exception which could occur is NoSuchAlgorithmException.
Nonetheless I would recommend the following changes:
- Never return the plaintext String
- Wrap the getInstance("MD5") call with a try-catch catching the NoSuchAlgorithmException, wrapping it in an AssertionError and throw that, since the documentation for MessageDigest guarantees that every JRE must support MD5:
MessageDigest md5; try { md5 = MessageDigest.getInstance("MD5"); } catch (NoSuchAlgorithmException e) { // Impossible; MessageDigest documentation guarantees that MD5 is supported throw new AssertionError("MD5 is not supported", e); }
- Don't use string.getBytes(), that uses the default charset of the platform. I don't know what the 'correct' charset here would be (maybe UTF-8?), but it is very likely not the default charset.
- Optional: Omit the call to MessageDigest.update and instead only call digest(byte[]).
Attachments
Issue Links
- links to