Justin Sands (Migrated from SEC-1285) said:
In the log4j (at debug level) output I see the authorization header when the BasicProcessingFilter authentication filter is used:
Authorization header: Basic cGVhY2gucmVkLmludGVybmFsOmFsZ3Bhc3N3b3Jk
This information contains the username and password, simply obfuscated in base64; the username and password of any user can be discovered from the log4j logs. The proper behavior would be to remove the logging, or make it optional via an optional flag set on the BasicProcessingFilter. Right now it is not possible to change the behavior via configuration or sub-classing since it happens as part of doFilterHttp() which also implements the ore functionality.
Luke Taylor said:
We wouldn't class this as a vulnerability since it is a matter of debug logging configuration. There are many ways in which a system can be can be configured to log sensitive information, but which would be regarded as vulnerabilities per se. However, it doesn't seem essential that the full authentication header is logged by this filter, so I've modified the output to prevent output of the header value. Instead, just the username will be logged, prior to authenticating.