[
https://issues.apache.org/jira/browse/PHOENIX-4702?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16456724#comment-16456724
]
Koundinya Ravulapati commented on PHOENIX-4702:
-----------------------------------------------
[~gjacoby] I could only see these references
[https://github.com/apache/phoenix/search?utf8=%E2%9C%93&q=MD5&type=] which
matches the uses you have given and nothing solid to prove the jar is depending
on MD5 as a cryptographic hash
> MD5 Hash Algorithm in Phoenix which is insecure and easily cracked
> ------------------------------------------------------------------
>
> Key: PHOENIX-4702
> URL: https://issues.apache.org/jira/browse/PHOENIX-4702
> Project: Phoenix
> Issue Type: Improvement
> Affects Versions: 4.7.0
> Reporter: Koundinya Ravulapati
> Priority: Major
> Labels: Encryption, Phoenix, Security, hashing
>
> Hi Team,
> We have ran a security check on
> compile group: 'org.apache.phoenix', name: 'phoenix', version:
> '4.7.0-CLABS-1.3.0', classifier: 'client-minimal'
> and our security scan has reveled that phoenix is using a week encryption MD5
> like
> digest = java.security.MessageDigest.getInstance("MD5")
> The hashing algorithm used, MD5, has been found by researchers to be unsafe
> for protecting sensitive data with today's technology.
> I have checked the [https://github.com/apache/phoenix/tree/4.7.0-HBase-1.1]
> and also other versions it is still having the same algorithm. Is Phoenix
> team considering to use more stronger algorithm like SHA-256. Can you please
> let us know if this is already available any new versions of phoenix or in
> which version can this be made available if team is working on it.
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
