MEND SAST Security Findings in WLO - CWE-244 and CWE-338 Vulnerabilities #800
Description
Background
We use WebSphere Liberty Operator as a dependency in our project. Our security scanning tool (MEND SAST) recently flagged multiple vulnerabilities in the WLO codebase. Since we only modify the Dockerfile and don't touch the core operator code, these need to be addressed upstream.
Findings
-
CWE-244: Heap Inspection (26 findings - MEDIUM)
Sensitive data (secrets, tokens, passwords, keys) stored as strings in memory aren't explicitly cleared after use, which could expose them to heap inspection.
CWE Reference: https://cwe.mitre.org/data/definitions/244.html
Affected locations:
scripts/replacements/register.go:
Line 44
Line 141
wlo/utils/register.go:
Line 44
Line 141
wlo/internal/controller/password_encryption_key_sharing.go:
Line 242
Line 245
wlo/internal/controller/ltpa_keys_sharing.go:
Lines 224, 280, 296, 425, 516
wlo/utils/utils.go:
Lines 170, 171, 172, 173, 178, 717, 755, 1008, 1020, 1034
wlo/api/v1/webspherelibertyapplication_types.go:
Lines 61, 389, 558
-
CWE-338: Weak Pseudo-Random (2 findings - MEDIUM)
Use of insufficiently random values in security-sensitive contexts.
CWE Reference: https://cwe.mitre.org/data/definitions/338.html
Affected locations:
wlo/utils/utils.go:
Line 1183
Line 1191