[
https://issues.apache.org/jira/browse/LOG4J2-3056?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Volkan Yazici closed LOG4J2-3056.
---------------------------------
> NameUtil.md5(String) could leak plaintext credentials
> -----------------------------------------------------
>
> Key: LOG4J2-3056
> URL: https://issues.apache.org/jira/browse/LOG4J2-3056
> Project: Log4j 2
> Issue Type: Bug
> Reporter: Marcono1234
> Assignee: Volkan Yazici
> Priority: Major
> Fix For: 2.15.0
>
>
> {{org.apache.logging.log4j.util.NameUtil.md5(String)}} could leak the
> credentials provided to it in case an exception is thrown:
> {code}
> public static String md5(final String string) {
> try {
> ...
> } catch (final Exception ex) {
> return string; // leaks plaintext credentials
> }
> }
> {code}
> This is however very likely not a security issue currently because it appears
> the only exception which could occur is {{NoSuchAlgorithmException}}.
> Nonetheless I would recommend the following changes:
> - *Never return the plaintext {{String}}*
> - Wrap the {{getInstance("MD5")}} call with a {{try-catch}} catching the
> {{NoSuchAlgorithmException}}, wrapping it in an {{AssertionError}} and throw
> that, since the [documentation for
> {{MessageDigest}}|https://docs.oracle.com/javase/8/docs/api/java/security/MessageDigest.html]
> guarantees that every JRE must support MD5:
> {code}
> MessageDigest md5;
> try {
> md5 = MessageDigest.getInstance("MD5");
> } catch (NoSuchAlgorithmException e) {
> // Impossible; MessageDigest documentation guarantees that MD5 is
> supported
> throw new AssertionError("MD5 is not supported", e);
> }
> {code}
> - Don't use {{string.getBytes()}}, that uses the default charset of the
> platform. I don't know what the 'correct' charset here would be (maybe
> UTF-8?), but it is very likely not the default charset.
> - Optional: Omit the call to {{MessageDigest.update}} and instead only call
> {{digest(byte[])}}.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
