Skip to content

Keystore and Truststore passwords in plain text appearing in logs #986

@cmrohila

Description

@cmrohila

While using the SSL feature "https://logback.qos.ch/manual/usingSSL.html" with following configuration.

file:///JKS_PATH ${TRUSTSTORE_PASSWORD} file:///JKS_PATH ${KEYSTORE_PASSWORD}

The Keystore and Truststore passwords are getting printed in plain text in logs as follows:

8:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [trustStore] property

08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${TRUSTSTORE_PASSWORD}"

08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [keyStore] property

08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${KEYSTORE_PASSWORD}"

Passwords getting printed in plain text poses serious security threat. Please fix this so as the no passwords are printed in log files in plain text even at INFO level.

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions