Poorna Subhash P created LOG4J2-605:
---------------------------------------
Summary: NoSQL appender logging password in clear text.
Key: LOG4J2-605
URL: https://issues.apache.org/jira/browse/LOG4J2-605
Project: Log4j 2
Issue Type: Bug
Components: Appenders
Affects Versions: 2.0-rc1
Reporter: Poorna Subhash P
Priority: Critical
When using Mongo NoSQL appender and enabled configuration status =debug, the
mongodb password is logged in clear text. Following is sample log statement.
2014-04-15 11:29:52,008 DEBUG Calling createNoSQLProvider on class
org.apache.logging.log4j.core.appender.db.nosql.mongodb.MongoDBProvider for
element MongoDb with params(collectionName="log4j",
writeConcernConstant="null", writeConcernConstantClass="null",
databaseName="logdb", server="localhost", port="27017", username="user",
password="pw", factoryClassName="null", factoryMethodName="null").
However, in below statement it gives passwordhash.
2014-04-15 11:29:52,476 DEBUG Calling createAppender on class
org.apache.logging.log4j.core.appender.db.nosql.NoSQLAppender for element NoSql
with params(name="mongo", ignoreExceptions="null", null, bufferSize="null",
MongoDb(mongoDb{ database=logdb, server=localhost, port=270171, username=user,
passwordHash=4834821b7ecd2e7b7c571c0488189821 }))
2014-04-15 11:29:52,477 DEBUG Starting NoSQLDatabaseManager noSqlManager{
description=mongo, bufferSize=0, provider=mongoDb{ database=logdb,
server=localhost, port=27017, username=user,
passwordHash=4834821b7ecd2e7b7c571c0488189821 } }
Either the first statement has to be removed (or) change to print passwordhash.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
