[jira] [Created] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886

Stefan Miklosovic (Jira) Fri, 24 Sep 2021 02:41:15 -0700

Stefan Miklosovic created CASSANDRA-16990:
---------------------------------------------


             Summary: Update jbcrypt library to 0.4 from 0.3m to resolve 
CVE-2015-0886
                 Key: CASSANDRA-16990
                 URL: https://issues.apache.org/jira/browse/CASSANDRA-16990
             Project: Cassandra
          Issue Type: Task
          Components: Dependencies
            Reporter: Stefan Miklosovic
            Assignee: Stefan Miklosovic


We are using jbcrypto of version 0.3m across all versions, this version of the 
library was never changed since 1.1.2.

In 0.3m they found out it (1) and (2 for better explanation)

I think we are affected by this, it is possible to set 31 rounds here (3) which 
would hit the same same logic afteward these tickets are talking about.

1) [http://www.mindrot.org/projects/jBCrypt/news/rel04.html]

2) [https://bugzilla.mindrot.org/show_bug.cgi?id=2097]

3) 
[https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117]

I  hence propose to update the library to 0.4 where this is fixed.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[jira] [Created] (CASSANDRA-16990) Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886

Reply via email to