[jira] [Commented] (RANGER-3181) Avoid using plaintext/hard-coded key while generating secret key

Fri, 12 Feb 2021 21:16:14 -0800 


    [ 
https://issues.apache.org/jira/browse/RANGER-3181?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284087#comment-17284087
 ] 

Bhavik Patel commented on RANGER-3181:
--------------------------------------

None of the key is hard-coded you can configure each value at the 
https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/security-admin/src/main/resources/conf.dist/ranger-admin-default-site.xml#L587
  and the code of block which you have mentioned that is just to handle Upgrade 
use-case.

Note: for older version of ranger we have hard-coded value.

> Avoid using plaintext/hard-coded key while generating secret key
> ----------------------------------------------------------------
>
>                 Key: RANGER-3181
>                 URL: https://issues.apache.org/jira/browse/RANGER-3181
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical 
> study about the usefulness of the existing security vulnerability detection 
> tools. The following is a reported vulnerability by certain tools. We'll so 
> appreciate it if you can give any feedback on it.
> *Security Location:* 
> in file 
> [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java]
>  in line 76, new PBEKeySpec(encryptKey) is invoked with hard-code key, which 
> is defined in line 125.
> *Security Impact:* 
> Cryptographic keys should not be kept in the source code. The source code can 
> be widely shared in an enterprise environment and is certainly shared in open 
> source. The use of a hard-coded cryptographic key significantly increases the 
> possibility that encrypted data may be recovered.
> *suggestions:*
> To be managed safely, passwords and secret keys should be stored in separate 
> configuration files. 
> Useful link:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
>  



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to