[
https://issues.apache.org/jira/browse/GEODE-9354?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kirk Lund updated GEODE-9354:
-----------------------------
Description:
Refactor ArgumentRedactor to clean it up and make sure it's efficient.
Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}
---
Related to
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
in which logging is vulnerable to a log file redaction of sensitive information
flaw when using values that begin with characters other than letters or numbers
for passwords and security properties with the prefix "sysprop-",
"javax.net.ssl", or "security-". This issue is fixed by overhauling the log
file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.
Fixed in https://github.com/apache/geode/pull/6641.
Backported to:
* 1.14 in https://github.com/apache/geode/pull/6747
* 1.13 in https://github.com/apache/geode/pull/6749
* 1.12 in https://github.com/apache/geode/pull/6750
was:
Refactor ArgumentRedactor to clean it up and make sure it's efficient.
Add test coverage for log statements containing:
{noformat}
-Dgemfire.ssl-truststore-password=<PASSWORD>
-Dgemfire.ssl-keystore-password=<PASSWORD>
{noformat}
Related to
[CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
in which logging is vulnerable to a log file redaction of sensitive information
flaw when using values that begin with characters other than letters or numbers
for passwords and security properties with the prefix "sysprop-",
"javax.net.ssl", or "security-". This issue is fixed by overhauling the log
file redaction in Apache Geode versions 1.12.5, 1.13.5, and 1.14.0.
Fixed in https://github.com/apache/geode/pull/6641.
Backported to:
* 1.14 in https://github.com/apache/geode/pull/6747
* 1.13 in https://github.com/apache/geode/pull/6749
* 1.12 in https://github.com/apache/geode/pull/6750
> Refactor ArgumentRedactor and add tests for ssl-*store-password props
> ---------------------------------------------------------------------
>
> Key: GEODE-9354
> URL: https://issues.apache.org/jira/browse/GEODE-9354
> Project: Geode
> Issue Type: Bug
> Components: logging
> Affects Versions: 1.12.4, 1.13.4
> Reporter: Kirk Lund
> Assignee: Kirk Lund
> Priority: Minor
> Labels: GeodeOperationAPI, pull-request-available
> Fix For: 1.12.5, 1.13.5, 1.14.0, 1.15.0
>
>
> Refactor ArgumentRedactor to clean it up and make sure it's efficient.
> Add test coverage for log statements containing:
> {noformat}
> -Dgemfire.ssl-truststore-password=<PASSWORD>
> -Dgemfire.ssl-keystore-password=<PASSWORD>
> {noformat}
> ---
> Related to
> [CVE-2021-34797|https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-34797]
> in which logging is vulnerable to a log file redaction of sensitive
> information flaw when using values that begin with characters other than
> letters or numbers for passwords and security properties with the prefix
> "sysprop-", "javax.net.ssl", or "security-". This issue is fixed by
> overhauling the log file redaction in Apache Geode versions 1.12.5, 1.13.5,
> and 1.14.0.
> Fixed in https://github.com/apache/geode/pull/6641.
> Backported to:
> * 1.14 in https://github.com/apache/geode/pull/6747
> * 1.13 in https://github.com/apache/geode/pull/6749
> * 1.12 in https://github.com/apache/geode/pull/6750
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
