While using the SSL feature "https://logback.qos.ch/manual/usingSSL.html" with following configuration.
file:///JKS_PATH
${TRUSTSTORE_PASSWORD}
file:///JKS_PATH
${KEYSTORE_PASSWORD}
The Keystore and Truststore passwords are getting printed in plain text in logs as follows:
8:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [trustStore] property
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${TRUSTSTORE_PASSWORD}"
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [keyStore] property
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${KEYSTORE_PASSWORD}"
Passwords getting printed in plain text poses serious security threat. Please fix this so as the no passwords are printed in log files in plain text even at INFO level.
While using the SSL feature "https://logback.qos.ch/manual/usingSSL.html" with following configuration.
file:///JKS_PATH ${TRUSTSTORE_PASSWORD} file:///JKS_PATH ${KEYSTORE_PASSWORD}The Keystore and Truststore passwords are getting printed in plain text in logs as follows:
8:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [trustStore] property
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${TRUSTSTORE_PASSWORD}"
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ImplicitModelHandler - Assuming default type [ch.qos.logback.core.net.ssl.KeyStoreFactoryBean] for [keyStore] property
08:02:01,651 |-INFO in ch.qos.logback.core.model.processor.ModelInterpretationContext@781a975b - value "password in plain text" substituted for "${KEYSTORE_PASSWORD}"
Passwords getting printed in plain text poses serious security threat. Please fix this so as the no passwords are printed in log files in plain text even at INFO level.