[
https://issues.apache.org/jira/browse/GEODE-9354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirk Lund updated GEODE-9354:
-----------------------------
Description:
Refactor ArgumentRedactor to clean it up and make sure it's efficient.
Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}
Related to
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
in which logging is vulnerable to a log file redaction of sensitive information
flaw when using values that begin with characters other than letters or numbers
for passwords and security properties with the prefix "sysprop-",
"javax.net.ssl", or "security-".
Fixed in https://github.com/apache/geode/pull/6641.
Backported to 1.12 in
was:
Refactor ArgumentRedactor to clean it up and make sure it's efficient.
Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}
Related to
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
in which logging is vulnerable to a log file redaction of sensitive information
flaw when using values that begin with characters other than letters or numbers
for passwords and security properties with the prefix "sysprop-",
"javax.net.ssl", or "security-".
Fixed in https://github.com/apache/geode/pull/6641.
> Refactor ArgumentRedactor and add tests for ssl-*store-password props
> ---------------------------------------------------------------------
>
> Key: GEODE-9354
> URL: https://issues.apache.org/jira/browse/GEODE-9354
> Project: Geode
> Issue Type: Bug
> Components: logging
> Affects Versions: 1.12.4, 1.13.4
> Reporter: Kirk Lund
> Assignee: Kirk Lund
> Priority: Major
> Labels: GeodeOperationAPI, pull-request-available
> Fix For: 1.12.5, 1.13.5, 1.14.0, 1.15.0
>
>
> Refactor ArgumentRedactor to clean it up and make sure it's efficient.
> Add test coverage for log statements containing:
> {noformat}
> -Dgemfire.ssl-truststore-password=<PASSWORD>
> -Dgemfire.ssl-keystore-password=<PASSWORD>
> {noformat}
> Related to
> [CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
> in which logging is vulnerable to a log file redaction of sensitive
> information flaw when using values that begin with characters other than
> letters or numbers for passwords and security properties with the prefix
> "sysprop-", "javax.net.ssl", or "security-".
> Fixed in https://github.com/apache/geode/pull/6641.
> Backported to 1.12 in
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
