[
https://issues.apache.org/jira/browse/DIRSERVER-2415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Emmanuel Lécharny resolved DIRSERVER-2415.
------------------------------------------
Fix Version/s: 2.0.0.AM28
Resolution: Fixed
Good catch!
The {{PasswordModifyRequestImpl}} class has a {{toString()}} method which looks
like that:
{code:java}
public String toString()
{
StringBuilder sb = new StringBuilder();
sb.append( "PwdModifyRequest :" );
sb.append( "\n UserIdentity : " );
if ( userIdentity != null )
{
sb.append( Strings.utf8ToString( userIdentity ) );
}
else
{
sb.append( "null" );
}
sb.append( "\n oldPassword : " );
if ( oldPassword != null )
{
sb.append( Strings.utf8ToString( oldPassword ) );
}
else
{
sb.append( "null" );
}
sb.append( "\n newPassword : " );
if ( newPassword != null )
{
sb.append( Strings.utf8ToString( newPassword ) );
}
else
{
sb.append( "null" );
}
return sb.toString();
}
{code}
which is obviously wrong.
I have modified the code to:
{code:java}
public String toString()
{
StringBuilder sb = new StringBuilder();
sb.append( "PwdModifyRequest :" );
sb.append( "\n UserIdentity : " );
if ( userIdentity != null )
{
sb.append( Strings.utf8ToString( userIdentity ) );
}
else
{
sb.append( "null" );
}
sb.append( "\n oldPassword : " );
if ( oldPassword != null )
{
sb.append( "Omitted for security reason" );
}
else
{
sb.append( "null" );
}
sb.append( "\n newPassword : " );
if ( newPassword != null )
{
sb.append( "Omitted for security reason" );
}
else
{
sb.append( "null" );
}
return sb.toString();
}
{code}
> ApacheDS 2.0.0-AM26 LdapProtocolDecoder DEBUG logging does not obfuscate new
> password.
> --------------------------------------------------------------------------------------
>
> Key: DIRSERVER-2415
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2415
> Project: Directory ApacheDS
> Issue Type: Bug
> Components: logs, security
> Affects Versions: 2.0.0.AM26, 2.0.0.AM27
> Environment: Red Hat Enterprise Linux 8.9
> (most likely not OS specific)
> Reporter: Joseph Wheeler
> Priority: Minor
> Fix For: 2.0.0.AM28
>
>
> DISA Application Server Security Requirements Guide (SRG) V4R1 requirements
> V-204785 and V-204727 require an application server to generate a full-text
> recording of executed privileged commands. To meet this requirement,
> log4j.logger.org.apache.directory.api.CODEC_LOG=DEBUG was set in
> log4j.properties to capture commands sent to the server. While this fulfills
> the requirement, the resulting log data does not obfuscate new passwords when
> a command to change a password is sent. The old password appears to be
> obfuscated (shows 'oldPassword : null'), but the new password is present and
> in cleartext. This violates requirement V-204774 in the same SRG.
>
> Example from the log:
> 18 Nov 2024 17:59:01,224 DEBUG [NioProcessor-3]
> (org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolDecoder.decode:143)
> - MSG_14002_DECODED_LDAP_MESSAGE (PwdModifyRequest :
> UserIdentity : uid=testaccount_20241118,ou=users,o=test
> oldPassword : null
> newPassword : Cle@rT3XtP@ssw0rd
>
> Issue confirmed on 2.0.0.AM26 and 2.0.0.AM27. Not tested on previous versions.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
