Md Mahir Asef Kabir created KYLIN-4479:
------------------------------------------
Summary: Usage of "AES/ECB/PKCS5Padding" is insecure
Key: KYLIN-4479
URL: https://issues.apache.org/jira/browse/KYLIN-4479
Project: Kylin
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
*Vulnerability Description:* In
“core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file
the following code was written in public static String encrypt(String
strToEncrypt) method & public static String decrypt(String strToDecrypt) method
-
{code:java}
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
{code}
The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to
Cipher.getInstance method.
*Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further
reference, please follow [this | https://zachgrace.com/posts/attacking-ecb].
*Suggested Fix:* Using
{code:java}
Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
{code}
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
