[
https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Md Mahir Asef Kabir updated DELTASPIKE-1406:
--------------------------------------------
Description:
*Vulnerability Description:* In
“deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
the following algorithms were set to use later -
{code:java}
private static final String HASH_ALGORITHM = "SHA-256";
private static final String CIPHER_ALGORITHM = "AES";
{code}
Here, SHA-256 and AES are vulnerable.
*Reason it’s vulnerable:* According to
[this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be
broken.
”AES” is also not secure. For further reference, please follow
[this|https://zachgrace.com/posts/attacking-ecb/]
*Suggested Fix:* The secure algorithms to set would be -
{code:java}
private static final String HASH_ALGORITHM = "SHA-512";
private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
{code}
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
was:
*Vulnerability Description:* In
“deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
the following algorithms were set to use later -
{code:java}
private static final String HASH_ALGORITHM = "SHA-256";
private static final String CIPHER_ALGORITHM = "AES";
{code}
Here, SHA-256 and AES are vulnerable.
*Reason it’s vulnerable:* According to
[this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
“SHA256 functions do not include a salt and a separate function must be used
to add the salt”. Another reference can be found here -
https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm.
”AES” is also not secure. For further reference, please follow
[this|https://zachgrace.com/posts/attacking-ecb/]
*Suggested Fix:* The secure algorithms to set would be -
{code:java}
private static final String HASH_ALGORITHM = "SHA-512";
private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
{code}
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
> Usage of "SHA-256" and "AES" is insecure
> ----------------------------------------
>
> Key: DELTASPIKE-1406
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406
> Project: DeltaSpike
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> *Vulnerability Description:* In
> “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”,
> the following algorithms were set to use later -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-256";
> private static final String CIPHER_ALGORITHM = "AES";
> {code}
> Here, SHA-256 and AES are vulnerable.
> *Reason it’s vulnerable:* According to
> [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be
> broken.
> ”AES” is also not secure. For further reference, please follow
> [this|https://zachgrace.com/posts/attacking-ecb/]
> *Suggested Fix:* The secure algorithms to set would be -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-512";
> private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
> {code}
> *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
