Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-4536

Do not reveal user ID of WildFly process via JavaMail messages

    Details

    • Type: Enhancement
    • Status: Closed (View Workflow)
    • Priority: Major
    • Resolution: Done
    • Affects Version/s: 8.2.0.Final, 9.0.0.Beta2
    • Fix Version/s: 9.0.0.CR1
    • Component/s: Mail
    • Labels:
      None

      Description

      The Message-ID of outgoing e-mail sent via the default javax.mail.Session has the format

      Message-ID: <524672585.11.1429091886393.JavaMail.wildfly@myserver.example.com>
      

      The wildfly part here is not hard-coded, it corresponds to the user ID of the process WildFly is running under (which happens to be wildfly on my server).

      Revealing the user ID of a system process may be regarded as a security risk.

      This has been fixed in javax.mail 1.5.3 (see https://kenai.com/bugzilla/show_bug.cgi?id=6496), so WildFly should upgrade this dependency.

        Gliffy Diagrams

          Attachments

            Activity

              People

              • Assignee:
                ctomc Toma┼ż Cerar
                Reporter:
                hwellmann.de Harald Wellmann
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: