Future vulnerability reports should be sent to secur...@apache.org so that they can be resolved privately.
Thank you On Fri, Feb 12, 2021 at 10:17 AM Ishan Chattopadhyaya < ichattopadhy...@gmail.com> wrote: > Recent versions of Solr use 2048. > > https://github.com/apache/lucene-solr/blob/branch_8_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java#L332 > > Thanks for your report. > > On Fri, Feb 12, 2021 at 3:44 PM Mahir Kabir <mdmahiras...@vt.edu> wrote: > > > Hello, > > > > I am a Ph.D. student at Virginia Tech, USA. While working on a security > > project-related work, we came across the following vulnerability in the > > source code - > > > > In file > > > > > https://github.com/apache/lucene-solr/blob/branch_6_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java > > < > > > https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java > > > > > (at > > Line 300) Key Size was set as 1024. > > > > *Security Impact*: > > > > < 2048 key size for RSA algorithm makes the system vulnerable to > > brute-force attack > > > > *Useful resource*: > > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 > > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 > > > > *Solution we suggest*: > > > > For RSA algorithm, the key size should be >= 2048 > > > > *Please share with us your opinions/comments if there is any*: > > > > Is the bug report helpful? > > > > Please let us know what you think about the issue. Any feedback will be > > appreciated. > > > > Thank you, > > Md Mahir Asef Kabir > > Ph.D. Student > > Department of CS > > Virginia Tech > > >