[
https://issues.apache.org/jira/browse/GEODE-9354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirk Lund updated GEODE-9354:
-----------------------------
Priority: Minor (was: Major)
> Refactor ArgumentRedactor and add tests for ssl-*store-password props
> ---------------------------------------------------------------------
>
> Key: GEODE-9354
> URL: https://issues.apache.org/jira/browse/GEODE-9354
> Project: Geode
> Issue Type: Bug
> Components: logging
> Affects Versions: 1.12.4, 1.13.4
> Reporter: Kirk Lund
> Assignee: Kirk Lund
> Priority: Minor
> Labels: GeodeOperationAPI, pull-request-available
> Fix For: 1.12.5, 1.13.5, 1.14.0, 1.15.0
>
>
> Refactor ArgumentRedactor to clean it up and make sure it's efficient.
> Add test coverage for log statements containing:
> {noformat}
> -Dgemfire.ssl-truststore-password=<PASSWORD>
> -Dgemfire.ssl-keystore-password=<PASSWORD>
> {noformat}
> Related to
> [CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
> in which logging is vulnerable to a log file redaction of sensitive
> information flaw when using values that begin with characters other than
> letters or numbers for passwords and security properties with the prefix
> "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by
> overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5,
> and 1.14.0.
> Fixed in https://github.com/apache/geode/pull/6641.
> Backported to:
> * 1.14 in https://github.com/apache/geode/pull/6747
> * 1.13 in https://github.com/apache/geode/pull/6749
> * 1.12 in https://github.com/apache/geode/pull/6750
--
This message was sent by Atlassian Jira
(v8.20.1#820001)
