[
https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280270#comment-17280270
]
Mark Thomas edited comment on MTOMCAT-323 at 2/6/21, 7:50 PM:
--------------------------------------------------------------
I am frankly astonished that anyone involved in security research would think
that this is a security vulnerability. The code in question is clearly test
code. There is zero security risk associated with this code.
This report is not helpful at all. Such reports serve only to waste the
valuable time of our volunteer communities.
Given that you indicate that you are using vulnerability scanning tools, please
note that - due to the high level of false positives - the Apache Software
Foundation automatically rejects any vulnerability report consisting solely of
output from a vulnerability scanning tool. The Apache Software Foundation only
accepts such reports when accompanied by manual analysis that demonstrates that
the claimed vulnerability exists and is exploitable.
Further reports along similar lines are likely to be resolved as invalid with
no further comment.
was (Author: markt):
I am frankly astonished that anyone involved in security research would think
that this is a security vulnerability. The code in question is clearly test
code. There is zero security risk associated with this code.
This report is not helpful at all. Such reports serve only to waste the
valuable time of our volunteer communities.
Given that you indicate that you are using vulnerability scanning tools, please
note that - due to the high level of false positives - the Apache Software
Foundation automatically rejects any vulnerability report consisting solely of
output from a vulnerability scanning tool. The Apache Software Foundation only
accepts such reports when accompanied by manual analysis that demonstrates that
the claimed vulnerability exists and is exploitable.
Further reports along similar lines are lines are likely to be resolved as
invalid with no further comment.
> Avoid using plaintext Keystore password in source code
> --------------------------------------------------------
>
> Key: MTOMCAT-323
> URL: https://issues.apache.org/jira/browse/MTOMCAT-323
> Project: Apache Tomcat Maven Plugin
> Issue Type: Improvement
> Reporter: Ying Zhang
> Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical
> study about the usefulness of the existing security vulnerability detection
> tools. The following is a reported vulnerability by certain tools. We'll so
> appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard
> code password at Line 179.
> *Security Impact:*
> Keystore password should not be kept in the source code. The source code can
> be widely shared in an enterprise environment, and is certainly shared in
> open source. The product transmits or stores authentication credentials, but
> it uses an insecure way that is susceptible to unauthorized interception
> and/or retrieval. We understand it is in the TestSupport file, but should it
> at least give some "reminder" to users for avoiding the misuses
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://cwe.mitre.org/data/definitions/522.html]
> [https://www.baeldung.com/java-keystore]
> *Solution we suggest*
> To be managed safely, passwords or secret keys should be stored in separate
> configuration files or keystores. The Keystore password is better to load
> from the locally set files instead of directly set in the code.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
>
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
