[
https://issues.apache.org/jira/browse/HTTPCLIENT-2337?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Winfried Gerlach updated HTTPCLIENT-2337:
-----------------------------------------
Description:
We noticed that in both Apache HTTP Client 4.x and 5.x,
{{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
sanitizing the fields. If, e.g., the CN contains control characters like {{\b}}
or {{{}\n{}}}, this could be used by an attacker to tamper with the log of the
application (remove stuff, add line breaks etc.).
!image-2024-09-03-08-43-06-757.png!
In the screenshot, the CN has a \b after "Control", so the last letter "l" is
removed from the log.
We don't consider this behavior particularly dangerous because it happens on
debug level only and the logger can also be turned off completely if needed.
You may still want to think about sanitizing the RDN values before logging or
somehow avoiding to log the X500Principal completely.
was:
We noticed that in both Apache HTTP Client 4.x and 5.x,
{{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
sanitizing the fields. If, e.g., the CN contains control characters like {{\b}}
or {{\n}}, this could be used by an attacker to tamper with the log of the
application (remove stuff, add line breaks etc.).
!image-2024-09-03-08-43-06-757.png!
In the screenshot, the CN has a \b after "Control", so the last letter "l" is
removed from the log.
We don't consider this behavior particularly dangerous because it happens on
debug level only and the logger can also be turned off completely if needed.
You may still want to think about sanitizing the RDN values before logging or
somehow avoid ing to log the X500Principal completely.
> Potentially unsafe logging of X500Principal in SSLConnectionSocketFactory
> -------------------------------------------------------------------------
>
> Key: HTTPCLIENT-2337
> URL: https://issues.apache.org/jira/browse/HTTPCLIENT-2337
> Project: HttpComponents HttpClient
> Issue Type: Improvement
> Affects Versions: 4.5.14, 5.3.1, 5.4-beta1
> Reporter: Winfried Gerlach
> Priority: Major
> Fix For: 5.4-beta2
>
> Attachments: example-cert.pem, image-2024-09-03-08-43-06-757.png
>
>
> We noticed that in both Apache HTTP Client 4.x and 5.x,
> {{SSLConnectionSocketFactory}} logs the X500Principal on DEBUG level without
> sanitizing the fields. If, e.g., the CN contains control characters like
> {{\b}} or {{{}\n{}}}, this could be used by an attacker to tamper with the
> log of the application (remove stuff, add line breaks etc.).
> !image-2024-09-03-08-43-06-757.png!
> In the screenshot, the CN has a \b after "Control", so the last letter "l" is
> removed from the log.
> We don't consider this behavior particularly dangerous because it happens on
> debug level only and the logger can also be turned off completely if needed.
> You may still want to think about sanitizing the RDN values before logging or
> somehow avoiding to log the X500Principal completely.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@hc.apache.org
For additional commands, e-mail: dev-h...@hc.apache.org
