Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2405

getTGT() in Login.java mishandles confidential information

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: 3.4.8, 3.5.1, 3.6.0
    • Fix Version/s: 3.4.9, 3.5.2, 3.6.0
    • Component/s: kerberos, security, server
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      We're logging the kerberos ticket when in debug mode, probably not the best idea. This was identified as a "critical" issue by Fortify.

              for(KerberosTicket ticket: tickets) {
                  KerberosPrincipal server = ticket.getServer();
                  if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                      LOG.debug("Found tgt " + ticket + ".");
                      return ticket;
                  }
              }
      

        Attachments

        1. ZOOKEEPER-2405-br3.4.patch
          0.8 kB
          Michael Han
        2. ZOOKEEPER-2405.patch
          0.9 kB
          Michael Han
        3. ZOOKEEPER-2405.patch
          1 kB
          Michael Han
        4. ZOOKEEPER-2405.patch
          0.8 kB
          Michael Han
        5. ZOOKEEPER-2405.patch
          0.8 kB
          Michael Han

          Activity

            People

            • Assignee:
              hanm Michael Han
              Reporter:
              phunt Patrick Hunt
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: