Captain
Captain
12100 views

java - Privacy Violation: Heap Inspection

Not sure if this is an appropriate place to post this request for information...

Fortify has reported Privacy Violation: Heap Inspection as a vuln because a password is being stored in a String object. The Java code is making a Basic Authentication request. Every article I can find on Basic Auth with Java uses String to store the credentials. Even if I used a character array, passing the data into the object that creates the header in the request will end up using a String. Seems like it's nearly impossible to fix this problem without writing custom code to do http requests. Can you point me to an article that has sample code on how to do this safely? Or do I just mark it as a false/positive and suppress it and move on?

My google-fu got me this far:

https://www.baeldung.com/java-storing-passwords
 
And from here:
https://stackoverflow.com/questions/8881291/why-is-char-preferred-over-string-for-passwords
 
That article refers to this:
 
https://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#PBEEx
 
"It would seem logical to collect and store the password in an object of type java.lang.String. However, here's the caveat: Objects of type String are immutable, i.e., there are no methods defined that allow you to change (overwrite) or zero out the contents of a String after usage. This feature makes String objects unsuitable for storing security sensitive information such as user passwords. You should always collect and store security sensitive information in a char array instead.”

0 Likes
2 Replies
Micro Focus Expert
Micro Focus Expert

I located this item in the VulnCat site, but it only provides a summary of the Issue in general.  The Remediation Details within SCA/AWB and/or SSC Server should provide more in-depth details.

You may want to contact Fortify Support (softwaresupport.softwaregrp.com), so that they can see the code in question and advise you more safely than posting it here in a forum.


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
Micro Focus Expert
Micro Focus Expert

There is a Fortify-specific Support portal at support.fortify.com which provides Rulepacks for manual download as well as further details on the SCA findings.  If you lack access, please conatct Fortify Support (at this general Micro Focus Support portal softwaresupport.softwaregrp.com) so they can correct that.  I still believe that the Remediation Details offered within the product should be more in-depth than either Vulncat of this Support resource.

For this specific item, here was the recommendation.  I do not know if SCA will automatically trace-back that you have reset the String value later, or if you will need to follow-up the correction with a manual Suppression or a Custom Rule.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++

EXPLANATION

Sensitive data (such as passwords, social security numbers, credit card numbers etc) stored in memory can be leaked if memory is not cleared after use. Often, Strings are used store sensitive data, however, since String objects are immutable, removing the value of a String from memory can only be done by the JVM garbage collector. The garbage collector is not required to run unless the JVM is low on memory, so there is no guarantee as to when garbage collection will take place. In the event of an application crash, a memory dump of the application might reveal sensitive data.

Example 1: The following code converts a password from a character array to a String.


private JPasswordField pf;
...
final char[] password = pf.getPassword();
...
String passwordAsString = new String(password);

 

RECOMMENDATIONS

Always be sure to clear sensitive data when it is no longer needed. Instead of storing sensitive data in immutable objects such as Strings, use byte arrays or character arrays that can be programmatically cleared.

Example 2: The following code clears memory after a password is used.


private JPasswordField pf;
...
final char[] password = pf.getPassword();
// use the password
...
// erase when finished
Arrays.fill(password, ' ');

+++++++++++++++++++++++++++++++++++++++++++++++++++++++


-- Habeas Data
Micro Focus Fortify Customers-Only Forums – https://community.softwaregrp.com/t5/Fortify/ct-p/fortify
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.