Uploaded image for project: 'Zeppelin'
  1. Zeppelin
  2. ZEPPELIN-2733

Remove System Information Leak in Authentication.java

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Minor
    • Resolution: Fixed
    • None
    • 0.7.3, 0.8.0
    • security
    • None

    Description

      An information leak occurs when system data or debugging information leaves the program through an output stream or logging function.
      In the file Authentication.java,

      Line 137: LOG.debug("Encrypted user key is {}", userKey);
Line 148: LOG.debug("IV is {}, IV length is {}", initVector, initVector.length());

      These lines may print information which can reveal some important data to user making it vulnerable to attacks, we should not log this sensitive information.

      Attachments

        Issue Links

          Blocked

          Task - A task that needs to be done. ZEPPELIN-2864 Release 0.7.3

          • Major - Major loss of function.
          • Resolved
          links to

          Web Link GitHub Pull Request #2468

          Activity

            People

              yanboliang Yanbo Liang
              yanboliang Yanbo Liang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: