[1.1.5] Cleartext Storage of Sensitive Information in Memory #30
Comments
ponyataeva
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
{{ message }}
ponyataeva
changed the title
The application reads and/or stores sensitive information (such as passwords) unencrypted in memory, leaving it susceptible to compromise or erroneous exposure. An attacker with access to the system running the application may be able to obtain access to this sensitive data by examining core dumps and swap files, or by attaching to the running process with a debugger and searching mapped memory pages. Unless memory is explicitly overwritten, the sensitive information will persist until it is garbage collected and reallocated for other purposes.
How to fix:
Try to avoid storing sensitive data in plaintext. When possible, always clear sensitive data after use by explicitly zeroing out the memory. In languages that do not provide a mechanism for zeroing out memory, such as Java or C#, focus on minimizing the risk rather than eliminating it. Try to avoid using immutable types when handling sensitive information (for example, use a character array rather than a String). Keep the time window in which sensitive information is present in memory as short as possible to minimize the likelihood of it being swapped to disk.
Instances:
net.jradius.util.KeyStoreUtil.java 60
net.jradius.util.KeyStoreUtil.java 144
net.jradius.session.RadiusSession.java 564
The text was updated successfully, but these errors were encountered: