[
https://issues.apache.org/jira/browse/ZOOKEEPER-2405?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15271464#comment-15271464
]
Michael Han commented on ZOOKEEPER-2405:
----------------------------------------
[~phunt] I agree, just updated the patch. I think the credential set does not
allow null element, please refer to my findings below for more details.
> getTGT() in Login.java mishandles confidential information
> ----------------------------------------------------------
>
> Key: ZOOKEEPER-2405
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-2405
> Project: ZooKeeper
> Issue Type: Bug
> Components: kerberos, security, server
> Affects Versions: 3.4.8, 3.5.1, 3.6.0
> Reporter: Patrick Hunt
> Assignee: Michael Han
> Priority: Blocker
> Fix For: 3.4.9, 3.5.2, 3.6.0
>
> Attachments: ZOOKEEPER-2405.patch, ZOOKEEPER-2405.patch,
> ZOOKEEPER-2405.patch
>
>
> We're logging the kerberos ticket when in debug mode, probably not the best
> idea. This was identified as a "critical" issue by Fortify.
> {noformat}
> for(KerberosTicket ticket: tickets) {
> KerberosPrincipal server = ticket.getServer();
> if (server.getName().equals("krbtgt/" + server.getRealm() + "@" +
> server.getRealm())) {
> LOG.debug("Found tgt " + ticket + ".");
> return ticket;
> }
> }
> {noformat}
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
