Marcono1234 created LOG4J2-3056:
-----------------------------------
Summary: NameUtil.md5(String) could leak plaintext credentials
Key: LOG4J2-3056
URL: https://issues.apache.org/jira/browse/LOG4J2-3056
Project: Log4j 2
Issue Type: Bug
Reporter: Marcono1234
{{org.apache.logging.log4j.util.NameUtil.md5(String)}} could leak the
credentials provided to it in case an exception is thrown:
{code}
public static String md5(final String string) {
try {
...
} catch (final Exception ex) {
return string; // leaks plaintext credentials
}
}
{code}
This is however very likely not a security issue currently because it appears
the only exception which could occur is {{NoSuchAlgorithmException}}.
Nonetheless I would recommend the following changes:
- *Never return the plaintext {{String}}*
- Wrap the {{getInstance("MD5")}} call with a {{try-catch}} catching the
{{NoSuchAlgorithmException}}, wrapping it in an {{AssertionError}} and throw
that, since the [documentation for
{{MessageDigest}}|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html]
guarantees that every JRE must support MD5:
{code}
MessageDigest md5;
try {
md5 = MessageDigest.getInstance("MD5");
} catch (NoSuchAlgorithmException e) {
// Impossible; MessageDigest documentation guarantees that MD5 is supported
throw new AssertionError("MD5 is not supported", e);
}
{code}
- Don't use {{string.getBytes()}}, that uses the default charset of the
platform. I don't know what the 'correct' charset here would be (maybe UTF-8?),
but it is very likely not the default charset.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
