Bug 782454

Summary: AMQConnectionDelegate_0_10 prints password in log in clear text
Product: Red Hat Enterprise MRG Reporter: Jiri Pechanec <jpechane>
Component: qpid-javaAssignee: Rajith Attapattu <rattapat+nobody>
Status: CLOSED CURRENTRELEASE QA Contact: MRG Quality Engineering <mrgqe-bugs>
Severity: high Docs Contact:
Priority: high    
Version: DevelopmentCC: iboverma, jross, tross
Target Milestone: 2.1.2   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: qpid-jca-0.14-5 Doc Type: Bug Fix
Doc Text:
Cause: Password is printed in clear text. Consequence: Poses a security threat as password details can be gleaned from the logs. Fix: Print xxxx instead. Result: Plain text passwords are no longer printed in the log files.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Jiri Pechanec 2012-01-17 14:23:39 UTC 
Description of problem:

See the message from the log
2012-01-17 09:10:55,769 DEBUG
[org.apache.qpid.client.AMQConnectionDelegate_0_10:213] (RMI TCP
Connection(13)-127.0.0.1) connecting to host: mrg01.mw.lab.eng.bos.redhat.com
port: 5672 vhost: test username: guest password: guest

The password should not be printed in clear text
Comment 1 Jiri Pechanec 2012-01-19 11:48:07 UTC 
Fixing incorrect product flag
Comment 2 Justin Ross 2012-01-20 22:28:37 UTC 
Fix committed upstream on trunk at revision 1232605.
Comment 3 Justin Ross 2012-01-20 22:29:11 UTC 
Jira: QPID-3763
Comment 4 Rajith Attapattu 2012-03-09 23:57:34 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
Cause: If no-local is set on a connection, messages sent by the the connection should not be received by consumers using the same connection.
       Currently no-local flag is ignored.

Consequence: Messages sent by the same connection is received even if no-local is set.

Fix:  Pass the no-local flag along with queue-declare arguments when creating the subscription queue.

Result: Messages sent by the same connection are no longer received by the consumers on the same connection if no-local is set.
Comment 5 Rajith Attapattu 2012-03-09 23:59:09 UTC 
    Technical note updated. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    Diffed Contents:
@@ -1,8 +1,7 @@
-Cause: If no-local is set on a connection, messages sent by the the connection should not be received by consumers using the same connection.
-       Currently no-local flag is ignored.
+Cause: Password is printed in clear text.
 
-Consequence: Messages sent by the same connection is received even if no-local is set.
+Consequence: Poses a security threat as password details can be gleaned from the logs.
 
-Fix:  Pass the no-local flag along with queue-declare arguments when creating the subscription queue.
+Fix:  Print xxxx instead.
 
-Result: Messages sent by the same connection are no longer received by the consumers on the same connection if no-local is set.+Result: Plain text passwords are no longer printed in the log files.