Md Mahir Asef Kabir created KYLIN-4479: ------------------------------------------
Summary: Usage of "AES/ECB/PKCS5Padding" is insecure Key: KYLIN-4479 URL: https://issues.apache.org/jira/browse/KYLIN-4479 Project: Kylin Issue Type: Improvement Reporter: Md Mahir Asef Kabir *Vulnerability Description:* In “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file the following code was written in public static String encrypt(String strToEncrypt) method & public static String decrypt(String strToDecrypt) method - {code:java} Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); {code} The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to Cipher.getInstance method. *Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further reference, please follow [this | https://zachgrace.com/posts/attacking-ecb]. *Suggested Fix:* Using {code:java} Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding"); {code} *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - # Liked it and will make the suggested changes # Liked it but happy with the existing version # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)