Patrick Hunt created ZOOKEEPER-2405:
---------------------------------------
Summary: getTGT() in Login.java mishandles confidential information
Key: ZOOKEEPER-2405
URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
Project: ZooKeeper
Issue Type: Bug
Components: security, kerberos, server
Affects Versions: 3.5.1, 3.4.8, 3.6.0
Reporter: Patrick Hunt
Priority: Blocker
Fix For: 3.4.9, 3.5.2, 3.6.0
We're logging the kerberos ticket when in debug mode, probably not the best
idea. This was identified as a "critical" issue by Fortify.
{noformat}
for(KerberosTicket ticket: tickets) {
KerberosPrincipal server = ticket.getServer();
if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
server.getRealm())) {
LOG.debug("Found tgt " + ticket + ".");
return ticket;
}
}
{noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
