PK07366; 5.1.1.4: Sensitive information is shown in
plain text in FFDC log
Downloadable files
Abstract
Sensitive Information is shown in plain text in the ffdc
log when exception is thrown.
Download Description
PK07366 resolves the following problem:
ERROR DESCRIPTION:
From internal IBM testing, in WC_catalog2_29d42574_05.05.31_19.11.29_0.txt
--> FFDC log, DB password is shown in plain text after getting the
exception below:
NOTE: No specific action was done from Tester. Sporadic testing was done
and exception was thrown.
Stack Dump = com.ibm.ejs.cm.portability.DuplicateKeyException:
DUPLICATE KEY VALUE SPECIFIED.
at java.lang.Throwable.<init>(Throwable.java:195)
at java.lang.Exception.<init>(Exception.java:41)
at java.sql.SQLException.<init>(SQLException.java:40)
at com.ibm.websphere.ce.cm.PortableSQLException.<init>(PortableSQLE
exception.java:38)
.......... etc stack here then followed by the infos below..
USERS AFFECTED:
WebSphere Application Server users.
PROBLEM DESCRIPTION:
When FFDC processes an exception, it can either invoke a Diagnostic Module
(DM) or perform introspection on the calling class. In this case, the
correct DM was registered, but it was registered for a package different
than the one the calling class belongs to. The FFDC did not find this DM
and performed introspection instead, outputting values of all fields found
in the calling class, including those containing sensitive information.
RECOMMENDATION:
The process of looking up DMs in FFDC does not find the correct DMs when
exceptions originate in a class from a package different than the one the
DM was registered for.
PROBLEM CONCLUSION:
The process of looking up DMs in FFDC was updated to also search by
sourceId, which is a hardcoded string that is being passed in to FFDC to
uniquely identify the code calling the FFDC. Because this string is
hardcoded, even in case like this one, when an existing class is extended
and its code inherited, the correct DM will be found when the inherited
code calls FFDC.
The fix for this APAR is currently targeted for inclusion in V5.0.2.13,
5.1.1.6 and 6.0.2.1.