Plaintext password is logged in server.log if enabling DEBUG for JBoss BPM Suite 6

Solution Unverified - Updated -

Environment

  • Red Hat JBoss Business Process Management Suite (BPM Suite) 6.0.0
  • Red Hat JBoss Enterprise Business Rule Management System (BRMS) 6.0.0

Issue

When the JBoss EAP 6.1.1 (on which it is installed BPM Suite 6) is started with DEBUG enabled, the password is logged in server.log after logging into business-central.

13:36:37,595 DEBUG [org.apache.coyote.http11] (http-/10.10.7.34:8080-1) JBWEB003028: Start processing with input [j_username=jroy&j_password=Passboba123%21]

Resolution

This issue has been addressed in Red Hat JBoss BPM Suite 6.0.3 Via RHSA-2014:1291.

Root Cause

This issue has been reported in BZ1065315.

Diagnostic Steps

Steps to reproduce:

  1. Enable DEBUG in standalone.xml as follows:

    <root-logger>
    <level name="DEBUG"/>
    <handlers>
        <handler name="CONSOLE"/>
        <handler name="FILE"/>
    </handlers>
</root-logger>
  2. Start the server;
  3. Logging into business-central;
  4. Look for &j_password= in server.log.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments