Donald Kwakkel created NET-617:
----------------------------------
Summary: Heap Inspection: Passwords can be revealed from heap for
ExtendedPop3Client
Key: NET-617
URL: https://issues.apache.org/jira/browse/NET-617
Project: Commons Net
Issue Type: Bug
Components: POP3
Affects Versions: 3.6
Reporter: Donald Kwakkel
In src/main/java/org/apache/commons/net/pop3/ExtendedPOP3Client.java password
is a String. This should be bytes and be cleared after usage.
Similair issue as https://issues.apache.org/jira/browse/NET-616
Mitigation: proper protect memory of os process and heap dumps.
Abstract:
The method auth() in ExtendedPOP3Client.java stores sensitive data in a String
object, making it impossible to reliably purge the data from memory.
Explanation:
Sensitive data (such as passwords, social security numbers, credit card numbers
etc) stored in memory can be leaked if memory is not cleared after use. Often,
Strings are used store sensitive data, however, since String objects are
immutable, removing the value of a String from memory can only be done by the
JVM garbage collector. The garbage collector is not required to run unless the
JVM is low on memory, so there is no guarantee as to when garbage collection
will take place. In the event of an application crash, a memory dump of the
application might reveal sensitive data.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
