PK07366; 5.1.1.4: Sensitive information is shown in plain text in FFDC log
 Downloadable files
 
Abstract
Sensitive Information is shown in plain text in the ffdc log when exception is thrown.
 
Download Description
PK07366 resolves the following problem:

ERROR DESCRIPTION:
From internal IBM testing, in WC_catalog2_29d42574_05.05.31_19.11.29_0.txt --> FFDC log, DB password is shown in plain text after getting the exception below:

NOTE: No specific action was done from Tester. Sporadic testing was done and exception was thrown.

Stack Dump = com.ibm.ejs.cm.portability.DuplicateKeyException:
DUPLICATE KEY VALUE SPECIFIED.
at java.lang.Throwable.<init>(Throwable.java:195)
at java.lang.Exception.<init>(Exception.java:41)
at java.sql.SQLException.<init>(SQLException.java:40)
at com.ibm.websphere.ce.cm.PortableSQLException.<init>(PortableSQLE exception.java:38)
.......... etc stack here then followed by the infos below..

dbUser = (User ID)
dbPassword = (User Password)
dshelper = null

PROBLEM SUMMARY:

USERS AFFECTED:
WebSphere Application Server users.

PROBLEM DESCRIPTION:
When FFDC processes an exception, it can either invoke a Diagnostic Module (DM) or perform introspection on the calling class. In this case, the correct DM was registered, but it was registered for a package different than the one the calling class belongs to. The FFDC did not find this DM and performed introspection instead, outputting values of all fields found in the calling class, including those containing sensitive information.

RECOMMENDATION:
The process of looking up DMs in FFDC does not find the correct DMs when exceptions originate in a class from a package different than the one the DM was registered for.

PROBLEM CONCLUSION:
The process of looking up DMs in FFDC was updated to also search by sourceId, which is a hardcoded string that is being passed in to FFDC to uniquely identify the code calling the FFDC. Because this string is hardcoded, even in case like this one, when an existing class is extended and its code inherited, the correct DM will be found when the inherited code calls FFDC.

The fix for this APAR is currently targeted for inclusion in V5.0.2.13, 5.1.1.6 and 6.0.2.1.

Please refer to the recommended updates page for delivery information:
General/swg27004980.html
 
Prerequisites
Please download the UpdateInstaller below to install this fix.
 
URL LANGUAGE SIZE(Bytes)
UpdateInstaller US English 7250000
 
 
Installation Instructions
Please review the readme.txt for detailed installation instructions.
 
URL LANGUAGE SIZE(Bytes)
Readme US English 1833
 
Download package
What is DD?
Download RELEASE DATE LANGUAGE SIZE(Bytes) Download Options
PK07366.jar 7/13/2005 US English 4849 FTP DD
 
Technical support
1-800-IBM-SERV (U.S. Only)
 
Cross Reference information
Segment Product Component Platform Version Edition
Application Servers Runtimes for Java Technology Java SDK
Problems (APARS) fixed
PK07366
 
 


Document Information


Product categories: Software > Application Servers > Distributed Application & Web Servers > WebSphere Application Server
Operating system(s): Windows
Software version: 5.1.1.4
Software edition:
Reference #: 4010065
IBM Group: Software Group
Modified date: Jul 18, 2005