[ https://issues.apache.org/jira/browse/QPID-8583?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Tomas Vavricka resolved QPID-8583. ---------------------------------- Fix Version/s: qpid-java-broker-9.0.0 Resolution: Fixed > [Broker-J] Privacy Violation: Heap Inspection > --------------------------------------------- > > Key: QPID-8583 > URL: https://issues.apache.org/jira/browse/QPID-8583 > Project: Qpid > Issue Type: Improvement > Components: Broker-J > Affects Versions: qpid-java-broker-8.0.6 > Reporter: Daniil Kirilyuk > Priority: Minor > Fix For: qpid-java-broker-9.0.0 > > > Sensitive data (such as passwords) stored in memory can be leaked if memory > is not cleared after use. Often, Strings are used store sensitive data, > however, since String objects are immutable, removing the value of a String > from memory can only be done by the JVM garbage collector. The garbage > collector is not required to run unless the JVM is low on memory, so there is > no guarantee as to when garbage collection will take place. In the event of > an application crash, a memory dump of the application might reveal sensitive > data. > There are several classes susceptible to this issue (e.g. > ConfiguredObjectMethodAttribute, ConfiguredDerivedInjectedAttribute, > ConfiguredSettableInjectedAttribute, CramMd5Base64HexNegotiator, > CramMd5Base64HashedNegotiator). -- This message was sent by Atlassian Jira (v8.20.10#820010) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@qpid.apache.org For additional commands, e-mail: dev-h...@qpid.apache.org