You observe entries in syslog similar to the following:

Nov 17 15:32:09 ssp2-md-0-gmprs-qvx7j fluentd: "druid.indexer.runner.javaOpts" : "-server -Xms128M -Xmx512M -XX:MaxDirectMemorySize=1G -Duser.timezone=UTC -Dfile.encoding=UTF-8 -XX:+ExitOnOutOfMemoryError -XX:+HeapDumpOnOutOfMemoryError -XX:+UseG1GC -Dzookeeper.clientCnxnSocket=org.apache.zookeeper.ClientCnxnSocketNetty
-Dzookeeper.client.secure=true -Dzookeeper.ssl.keyStore.location=/etc/druid/cert/keystore.p12
-Dzookeeper.ssl.keyStore.password=<visible-in-plaintext>
-Dzookeeper.ssl.trustStore.location=/etc/druid/cert/truststore.p12
-Dzookeeper.ssl.trustStore.password=<visible-in-plaintext>
-Dzookeeper.ssl.hostnameVerification=false"

Security Services Platform(SSP) 5.1

The log entries are generated by certain pods which print JVM startup options as part of their initialization sequence. These JVM options include SSL/TLS client configuration properties, including keystore and truststore passwords.

The passwords visible in the logs are internal infrastructure credentials with the following characteristics:

1. Randomly generated during SSP deployment
2. Not associated with any customer-supplied credential
3. Only used for pod-to-pod communication within the Kubernetes cluster
4. The services protected by these passwords are internal to SSP and are not directly accessible from external networks

Therefore, although the password is visible, it does not represent exposure of sensitive or customer-related data.

The visible password string does not expose any real, customer-provided, or security-critical secrets.

The issue has no security impact on SSP 5.1 deployments.

Enhancements are planned to prevent third-party components from logging sensitive JVM parameters.

The fix will be included in an upcoming SSP release.