Clarity: LDAP passwords showing in clear text inside app-niku.log whenever com.niku.union.web debug is turned on

Document ID : KB000051793
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

Technical Details:

LDAP passwords are showing in clear texts inside app-niku.log whenever com.niku.union.web is set to debug mode

  • Environment: Clarity 12.0.2,MSQL 2005

  • Logs from app-niku bellow:

    action=[Ljava.lang.String;@8aa1f5, submit=[Ljava.lang.String;@18ef09e,
    redirectAction=[Ljava.lang.String;@1572855,
    passWord=[Ljava.lang.String;@1190b17}
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) Parameter userName values
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) userName[0]=jgaskill
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) Parameter action values
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) action[0]=security.loginAction
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) Parameter submit values
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) submit[0]=Login
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) Parameter redirectAction values
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) redirectAction[0]=homeActionId
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) Parameter passWord values
    DEBUG 2010-03-03 10:36:31,663 [http-80-Processor4] web.WebControlServlet
    (unknown:none:homeActionId) passWord[0]=ldap

Steps to reproduce:

  1. Go into NSA and turn on debug for com.niku.union.web

  2. Restart Clarity services if needed

  3. Log into Clarity application using LDAP user authentication

Expected Results:

We should not see the password in clear text inside app-niku.log

Actual Result:

We are seeing passwords for LDAP users in clear text inside app-niku.log

Solution:

WORKAROUND:
None.

STATUS/RESOLUTION:
Resolved in Clarity 12.1.0

Keywords: CLARITYKB, CLRT-52223, clarity12resolved, clarity1210resolved