[
https://issues.apache.org/jira/browse/WSS-548?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14638591#comment-14638591
]
Jens Kordowski commented on WSS-548:
------------------------------------
Some additional information I'd like to share:
I found this issue via a code scan (HP Fortify), hence this might show up in
other companies as well.
And to summarize an attack scenario: CXF logs the payload / message on debug
level, WSS4J logs the secretKey. With both information available in the log,
this is an easy game for an attacker (if he gets access to the logs of course).
I think the developer benefit (easier debugging) is not worth the risk.
Best regards
Jens
> logging secretKey
> -----------------
>
> Key: WSS-548
> URL: https://issues.apache.org/jira/browse/WSS-548
> Project: WSS4J
> Issue Type: Bug
> Components: WSS4J Core
> Reporter: Jens Kordowski
> Assignee: Colm O hEigeartaigh
> Priority: Critical
> Fix For: 2.0.3
>
>
> Hi,
> org.apache.wss4j.dom.message.WSSecEncryptedKey.prepareInternal() logs the
> secretKey to debug.
> Is that intended? I see a risk in doing so.
> Best regards
> Jens
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
