[ https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Md Mahir Asef Kabir updated DELTASPIKE-1406: -------------------------------------------- Description: *Vulnerability Description:* In “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”, the following algorithms were set to use later - {code:java} private static final String HASH_ALGORITHM = "SHA-256"; private static final String CIPHER_ALGORITHM = "AES"; {code} Here, SHA-256 and AES are vulnerable. *Reason it’s vulnerable:* According to [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be broken. ”AES” is also not secure. For further reference, please follow [this|https://zachgrace.com/posts/attacking-ecb/] *Suggested Fix:* The secure algorithms to set would be - {code:java} private static final String HASH_ALGORITHM = "SHA-512"; private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding"; {code} *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - # Liked it and will make the suggested changes # Liked it but happy with the existing version # Didn’t find the suggestion helpful was: *Vulnerability Description:* In “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”, the following algorithms were set to use later - {code:java} private static final String HASH_ALGORITHM = "SHA-256"; private static final String CIPHER_ALGORITHM = "AES"; {code} Here, SHA-256 and AES are vulnerable. *Reason it’s vulnerable:* According to [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/], “SHA256 functions do not include a salt and a separate function must be used to add the salt”. Another reference can be found here - https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm. ”AES” is also not secure. For further reference, please follow [this|https://zachgrace.com/posts/attacking-ecb/] *Suggested Fix:* The secure algorithms to set would be - {code:java} private static final String HASH_ALGORITHM = "SHA-512"; private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding"; {code} *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - # Liked it and will make the suggested changes # Liked it but happy with the existing version # Didn’t find the suggestion helpful > Usage of "SHA-256" and "AES" is insecure > ---------------------------------------- > > Key: DELTASPIKE-1406 > URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406 > Project: DeltaSpike > Issue Type: Improvement > Security Level: public(Regular issues) > Reporter: Md Mahir Asef Kabir > Priority: Major > > *Vulnerability Description:* In > “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”, > the following algorithms were set to use later - > {code:java} > private static final String HASH_ALGORITHM = "SHA-256"; > private static final String CIPHER_ALGORITHM = "AES"; > {code} > Here, SHA-256 and AES are vulnerable. > *Reason it’s vulnerable:* According to > [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be > broken. > ”AES” is also not secure. For further reference, please follow > [this|https://zachgrace.com/posts/attacking-ecb/] > *Suggested Fix:* The secure algorithms to set would be - > {code:java} > private static final String HASH_ALGORITHM = "SHA-512"; > private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding"; > {code} > *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)