Plaintext password is logged in server.log if enabling DEBUG for JBoss BPM Suite 6
Environment
- Red Hat JBoss Business Process Management Suite (BPM Suite) 6.0.0
- Red Hat JBoss Enterprise Business Rule Management System (BRMS) 6.0.0
Issue
When the JBoss EAP 6.1.1 (on which it is installed BPM Suite 6) is started with DEBUG enabled, the password is logged in server.log
after logging into business-central.
13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]
Resolution
This issue has been addressed in Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1291.
Root Cause
This issue has been reported in BZ1065315.
Diagnostic Steps
Steps to reproduce:
-
Enable
DEBUG
instandalone.xml
as follows:<root-logger> <level name="DEBUG"/> <handlers> <handler name="CONSOLE"/> <handler name="FILE"/> </handlers> </root-logger>
- Start the server;
- Logging into business-central;
- Look for
&j_password=
inserver.log
.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments