Uploaded image for project: 'ZooKeeper'
  1. ZooKeeper
  2. ZOOKEEPER-2405

getTGT() in Login.java mishandles confidential information

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • 3.4.8, 3.5.1, 3.6.0
    • 3.4.9, 3.5.2, 3.6.0
    • kerberos, security, server
    • None
    • Reviewed

    Description

      We're logging the kerberos ticket when in debug mode, probably not the best idea. This was identified as a "critical" issue by Fortify.

              for(KerberosTicket ticket: tickets) {
                  KerberosPrincipal server = ticket.getServer();
                  if (server.getName().equals("krbtgt/" + server.getRealm() + "@" + server.getRealm())) {
                      LOG.debug("Found tgt " + ticket + ".");
                      return ticket;
                  }
              }
      

      Attachments

        1. ZOOKEEPER-2405.patch
          0.8 kB
          Michael Han
        2. ZOOKEEPER-2405-br3.4.patch
          0.8 kB
          Michael Han
        3. ZOOKEEPER-2405.patch
          0.8 kB
          Michael Han
        4. ZOOKEEPER-2405.patch
          1 kB
          Michael Han
        5. ZOOKEEPER-2405.patch
          0.9 kB
          Michael Han

        Activity

          People

            hanm Michael Han
            phunt Patrick D. Hunt
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: