[
https://issues.apache.org/jira/browse/ATLAS-3854?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Mandar Ambawane updated ATLAS-3854:
-----------------------------------
Description:
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x
prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed
null initialization vector with CBC Mode in the implementation of the queryable
text encryptor. A malicious user with access to the data that has been
encrypted using such an encryptor may be able to derive the unencrypted values
using a dictionary attack.
To resolve this need to upgrade Spring security to 4.2.16
was:
Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x
prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed
null initialization vector with CBC Mode in the implementation of the queryable
text encryptor. A malicious user with access to the data that has been
encrypted using such an encryptor may be able to derive the unencrypted values
using a dictionary attack.
To resolve this need to upgrade Spring security to 4.2.16
> Upgrade Spring Security version to 4.2.16
> -----------------------------------------
>
> Key: ATLAS-3854
> URL: https://issues.apache.org/jira/browse/ATLAS-3854
> Project: Atlas
> Issue Type: Bug
> Reporter: Mandar Ambawane
> Assignee: Mandar Ambawane
> Priority: Major
>
> Spring Security versions 5.3.x prior to 5.3.2, 5.2.x prior to 5.2.4, 5.1.x
> prior to 5.1.10, 5.0.x prior to 5.0.16 and 4.2.x prior to 4.2.16 use a fixed
> null initialization vector with CBC Mode in the implementation of the
> queryable text encryptor. A malicious user with access to the data that has
> been encrypted using such an encryptor may be able to derive the unencrypted
> values using a dictionary attack.
> To resolve this need to upgrade Spring security to 4.2.16
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
