[ https://issues.apache.org/jira/browse/RANGER-3151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17269405#comment-17269405 ]
Dhaval Shah edited comment on RANGER-3151 at 1/21/21, 4:05 PM: --------------------------------------------------------------- Hi [~yaxiao], We use default hard coded salt only if supplied password string is empty, null or length < 4. Otherwise we create salt from password string only. [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L97] Thanks was (Author: dhavalshah9131): Hi [~yaxiao], We use default hard coded salt only if supplied password string is empty, null or length < 4. Otherwise we create salt from password string only. [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L97] {code:java} if (crypt_algo_array != null && crypt_algo_array.length > 4) { {code} Thanks. > Avoid hardcoded salt in creating PBE > ------------------------------------ > > Key: RANGER-3151 > URL: https://issues.apache.org/jira/browse/RANGER-3151 > Project: Ranger > Issue Type: Improvement > Components: Ranger > Reporter: Ya Xiao > Priority: Major > Labels: patch, security > > We found a security vulnerability in file > [ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java]. > It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE > instantiation (at Line 79). > *Security Impact*: > The salt is expected as a random string. A hardcoded salt may compromise > system security in a way that cannot be easily remedied. > _Useful links_: > [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt] > [https://cwe.mitre.org/data/definitions/760.html] > [http://www.crypto-it.net/eng/theory/pbe.html#part_salt] > *Solution we suggest* > We suggest generating a random default salt by SecureRandom class. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)