View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0008012 | 10000-002: Security | Spec | public | 2022-05-25 15:25 | 2024-05-28 16:11 |
| Reporter | Randy Armstrong | Assigned To | Paul Hunkar | ||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Fixed in Version | 1.05.04 RC1 | ||||
| Summary | 0008012: Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients | ||||
| Description | Many servers return full stack traces in AdditionalInfo which is quite helpful for debugging connecting issues. This information could be exploited by a malicious client. The text for the AdditionalInfo should add a caveat that, by default, AdditionalInfo shall only be provided to authenticated Clients. If Servers accept all valid Certificates (like a GDS) then the AdditionalInfo shall only be provided to Clients with access to a Role that grants them some level of administrative privileges. Servers may also have a "debug mode" that is enabled in configuration that increases the detail in AdditionalInfo provided to authenticated and authenticated Clients to facilitate debugging of connection issues. The "debug mode" should never be left enabled once these issues are resolved. Servers should also log the additional info even if it is not returned to the client because it does not have sufficient rights. | ||||
| Additional Information | Part 2 need a discussion on leaking sensitive information and strategies to mitigate. | ||||
| Tags | No tags attached. | ||||
| Commit Version | 1.05.04 RC | ||||
| Fix Due Date | 2023-09-01 | ||||
| related to | 0008011 | closed | Matthias Damm | 10000-004: Services | Restrictions on DiagnosticInfo.AdditionalInfo with unauthenticated Clients |
|
|
Added text describing that security related diagnostics should be restricted to security personnel and that stack trace type diagnostics needs to be restricted to authenticated clients. |
|
|
Agreed to text edited in Web Meeting. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2022-05-25 15:25 | Randy Armstrong | New Issue | |
| 2022-05-25 15:25 | Randy Armstrong | Issue generated from: 0008011 | |
| 2022-05-25 15:25 | Randy Armstrong | Project | 10000-004: Services => 10000-002: Security |
| 2022-07-05 16:37 | Jim Luth | Relationship added | related to 0008011 |
| 2022-07-05 16:37 | Jim Luth | Assigned To | => Paul Hunkar |
| 2022-07-05 16:37 | Jim Luth | Status | new => assigned |
| 2023-07-25 16:09 | Jim Luth | Commit Version | => 1.05.04 RC |
| 2023-07-25 16:09 | Jim Luth | Fix Due Date | => 2023-09-01 |
| 2024-05-23 13:02 | Paul Hunkar | Status | assigned => resolved |
| 2024-05-23 13:02 | Paul Hunkar | Resolution | open => fixed |
| 2024-05-23 13:02 | Paul Hunkar | Fixed in Version | => 1.05.04 RC1 |
| 2024-05-23 13:02 | Paul Hunkar | Note Added: 0021227 | |
| 2024-05-28 16:11 | Jim Luth | Status | resolved => closed |
| 2024-05-28 16:11 | Jim Luth | Note Added: 0021247 |
