[
https://issues.apache.org/jira/browse/RANGER-3151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270807#comment-17270807
]
Ya Xiao commented on RANGER-3151:
---------------------------------
Thank you so much for replying. We are a security research team at Virginia
Tech. Actually, We are doing an empirical study about the usefulness of the
existing security vulnerability detection tools. The reported one is what we
got from certain tools.
There might be a gap between what is reported by the tools and the demands of
developers in practices. We want to collect more information to narrow down the
gap. We'll so appreciate it if you can share some options about the following
questions.
# For this report, do you think it is still a threat if users feed passwords
that are empty, null or length < 4? If it is, should we disable it? Or if it is
not a problem, why?
# What kind of supports or features do you think are necessary for a bug
detector to be useful in practices? E.g. Demonstration of exploits or some
customized fixing suggestions?
# Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
# What kind of bug checker/vulnerability detection tools you are using? Do you
think they are helpful?
> Avoid hardcoded salt in creating PBE
> ------------------------------------
>
> Key: RANGER-3151
> URL: https://issues.apache.org/jira/browse/RANGER-3151
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> We found a security vulnerability in file
> [ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java].
> It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE
> instantiation (at Line 79).
> *Security Impact*:
> The salt is expected as a random string. A hardcoded salt may compromise
> system security in a way that cannot be easily remedied.
> _Useful links_:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> *Solution we suggest*
> We suggest generating a random default salt by SecureRandom class.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
