[jira] [Commented] (MTOMCAT-323) Avoid using plaintext Keystore password in source code

Sat, 06 Feb 2021 12:04:04 -0800 


    [ 
https://issues.apache.org/jira/browse/MTOMCAT-323?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280273#comment-17280273
 ] 

Mark Thomas commented on MTOMCAT-323:
-------------------------------------

In my astonishment I forgot to mention that potential security vulnerability 
reports should *NEVER* be reported via a public bug tracker. Instructions for 
the correct process may be found at: [http://www.apache.org/security/]

 

> Avoid using plaintext Keystore password in source code  
> --------------------------------------------------------
>
>                 Key: MTOMCAT-323
>                 URL: https://issues.apache.org/jira/browse/MTOMCAT-323
>             Project: Apache Tomcat Maven Plugin
>          Issue Type: Improvement
>            Reporter: Ying Zhang
>            Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical 
> study about the usefulness of the existing security vulnerability detection 
> tools. The following is a reported vulnerability by certain tools. We'll so 
> appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file tomcat/test/org/apache/tomcat/util/net/TesterSupport.java, use hard 
> code password at Line 179.
> *Security Impact:*
> Keystore password should not be kept in the source code. The source code can 
> be widely shared in an enterprise environment, and is certainly shared in 
> open source. The product transmits or stores authentication credentials, but 
> it uses an insecure way that is susceptible to unauthorized interception 
> and/or retrieval. We understand it is in the TestSupport file, but should it 
> at least give some "reminder" to users for avoiding the misuses  
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://cwe.mitre.org/data/definitions/522.html]
> [https://www.baeldung.com/java-keystore]
> *Solution we suggest*
> To be managed safely, passwords or secret keys should be stored in separate 
> configuration files or keystores. The Keystore password is better to load 
> from the locally set files instead of directly set in the code.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to