[jboss-jira] [JBoss JIRA] (WFLY-4536) Do not reveal user ID of WildFly process via JavaMail messages
Harald Wellmann (JIRA)
issues at jboss.org
Mon Apr 20 03:53:19 EDT 2015
Harald Wellmann created WFLY-4536:
-------------------------------------
Summary: Do not reveal user ID of WildFly process via JavaMail messages
Key: WFLY-4536
URL: https://issues.jboss.org/browse/WFLY-4536
Project: WildFly
Issue Type: Enhancement
Components: Mail
Affects Versions: 9.0.0.Beta2, 8.2.0.Final
Reporter: Harald Wellmann
Assignee: Tomaz Cerar
The Message-ID of outgoing e-mail sent via the default javax.mail.Session has the format
{noformat}
Message-ID: <524672585.11.1429091886393.JavaMail.wildfly at myserver.example.com>
{noformat}
The {{wildfly}} part here is not hard-coded, it corresponds to the user ID of the process WildFly is running under (which happens to be {{wildfly}} on my server).
Revealing the user ID of a system process may be regarded as a security risk.
This has been fixed in javax.mail 1.5.3 (see https://kenai.com/bugzilla/show_bug.cgi?id=6496), so WildFly should upgrade this dependency.
--
This message was sent by Atlassian JIRA
(v6.3.11#6341)
More information about the jboss-jira
mailing list