[
https://issues.apache.org/jira/browse/ZOOKEEPER-4994?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
youlong chen updated ZOOKEEPER-4994:
------------------------------------
Description:
h2. Security Vulnerability Report: Authentication Credential Logging
*Code Location :*
{{org.apache.zookeeper.server.auth.KeyAuthenticationProvider}} (Lines 93-113)
*Description:*
The authentication provider logs sensitive authentication credentials (keys and
auth data) in plain text at line 99:
{quote} LOG.debug("KeyAuthenticationProvider handleAuthentication ({}, {}) ->
FAIL.\n", keyStr, authStr);
{quote}
*Impact:*
# Authentication keys are exposed in debug logs during failed authentication
attempts
# Potential credential leakage through log files, log aggregation systems, or
monitoring tools
# Compliance framework violations (PCI-DSS, GDPR, etc.)
*Recommendation:*
Remove or redact sensitive parameters from the log statement:
LOG.debug("KeyAuthenticationProvider handleAuthentication -> FAIL (credentials
redacted)");
Alternatively, log only non-sensitive metadata (timestamp, source IP, attempt
count) without actual credential values.
was:
h2. Security Vulnerability Report: Authentication Credential Logging
*Code Location :*
{{org.apache.zookeeper.server.auth.KeyAuthenticationProvider}} (Lines 93-113)
*Description:*
The authentication provider logs sensitive authentication credentials (keys and
auth data) in plain text at line 99:
LOG.debug("KeyAuthenticationProvider handleAuthentication ({}, {}) ->
FAIL.\n", keyStr, authStr);
*Impact:*
# Authentication keys are exposed in debug logs during failed authentication
attempts
# Potential credential leakage through log files, log aggregation systems, or
monitoring tools
# Compliance framework violations (PCI-DSS, GDPR, etc.)
*Recommendation:*
Remove or redact sensitive parameters from the log statement:
LOG.debug("KeyAuthenticationProvider handleAuthentication -> FAIL (credentials
redacted)");
Alternatively, log only non-sensitive metadata (timestamp, source IP, attempt
count) without actual credential values.
> Authentication Credential Logging
> ---------------------------------
>
> Key: ZOOKEEPER-4994
> URL: https://issues.apache.org/jira/browse/ZOOKEEPER-4994
> Project: ZooKeeper
> Issue Type: Bug
> Components: server
> Affects Versions: 3.9.4
> Reporter: youlong chen
> Priority: Minor
>
> h2. Security Vulnerability Report: Authentication Credential Logging
> *Code Location :*
> {{org.apache.zookeeper.server.auth.KeyAuthenticationProvider}} (Lines 93-113)
> *Description:*
> The authentication provider logs sensitive authentication credentials (keys
> and auth data) in plain text at line 99:
> {quote} LOG.debug("KeyAuthenticationProvider handleAuthentication ({}, {}) ->
> FAIL.\n", keyStr, authStr);
> {quote}
> *Impact:*
> # Authentication keys are exposed in debug logs during failed authentication
> attempts
> # Potential credential leakage through log files, log aggregation systems,
> or monitoring tools
> # Compliance framework violations (PCI-DSS, GDPR, etc.)
> *Recommendation:*
> Remove or redact sensitive parameters from the log statement:
> LOG.debug("KeyAuthenticationProvider handleAuthentication -> FAIL
> (credentials redacted)");
> Alternatively, log only non-sensitive metadata (timestamp, source IP, attempt
> count) without actual credential values.
>
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
