Ya Xiao created RANGER-3151:
-------------------------------
Summary: Avoid hardcoded salt in creating PBE
Key: RANGER-3151
URL: https://issues.apache.org/jira/browse/RANGER-3151
Project: Ranger
Issue Type: Improvement
Components: Ranger
Reporter: Ya Xiao
We found a security vulnerability in file
src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java. It allows a
hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE instantiation (at Line
79).
*Security Impact*:
The salt is expected as a random string. A hardcoded salt may compromise system
security in a way that cannot be easily remedied.
_References_:
[https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
[https://cwe.mitre.org/data/definitions/760.html]
[http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
*Solution we suggest*
We suggest generating a random default salt by SecureRandom class.
*Please share with us your opinions/comments if there is any*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
