[ZOOKEEPER-2405] getTGT() in Login.java mishandles confidential information - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: 3.4.8, 3.5.1, 3.6.0
Fix Version/s: 3.4.9, 3.5.2, 3.6.0
Component/s: kerberos, security, server
Labels:
None

Hadoop Flags:

Reviewed

Description

We're logging the kerberos ticket when in debug mode, probably not the best idea. This was identified as a "critical" issue by Fortify.

        for(KerberosTicket ticket: tickets) {
            KerberosPrincipal server = ticket.getServer();
            if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                LOG.debug("Found tgt " + ticket + ".");
                return ticket;
            }
        }

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

ZOOKEEPER-2405.patch
17/May/16 22:20
0.8 kB
Michael Han
ZOOKEEPER-2405-br3.4.patch
17/May/16 22:18
0.8 kB
Michael Han
ZOOKEEPER-2405.patch
04/May/16 21:24
0.8 kB
Michael Han
ZOOKEEPER-2405.patch
03/May/16 20:00
1 kB
Michael Han
ZOOKEEPER-2405.patch
02/May/16 23:25
0.9 kB
Michael Han

Activity

People

Assignee:: Michael Han

Reporter:: Patrick D. Hunt

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 26/Mar/16 19:04

Updated:: 21/Jul/16 20:18

Resolved:: 25/May/16 20:47