[
https://issues.apache.org/jira/browse/RANGER-3151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17284090#comment-17284090
]
Bhavik Patel commented on RANGER-3151:
--------------------------------------
[~yaxiao] :
For this report, do you think it is still a threat if users feed passwords that
are empty, null or length < 4? If it is, should we disable it? Or if it is not
a problem, why? ==> the Job of the PasswordUtils is just to encrypt and decrypt
the string, whether you provide empty or not also, length does not matter.
Admin/User has to make sure they are providing a proper password string for
encryption.
You can check here :
https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L69
how empty or null string is handled.
I think you got confused by looking at this line of code :
https://github.com/apache/ranger/blob/master/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L97
This does not check the actual password length, you can debug more on this part
to get a more clear idea.
What kind of supports or features do you think are necessary for a bug detector
to be useful in practices? E.g. Demonstration of exploits or some customized
fixing suggestions? ==> You can updated the following properties to weak value
and check the bug detector report (currently default values are strong enough).
* ranger.password.encryption.key
* ranger.password.salt
* ranger.password.iteration.count
* ranger.password.encryption.algorithm
Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to ==> There might be many old(version) jars that
might be have more vulnerabilities.
> Avoid hardcoded salt in creating PBE
> ------------------------------------
>
> Key: RANGER-3151
> URL: https://issues.apache.org/jira/browse/RANGER-3151
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> We found a security vulnerability in file
> [ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java].
> It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE
> instantiation (at Line 79).
> *Security Impact*:
> The salt is expected as a random string. A hardcoded salt may compromise
> system security in a way that cannot be easily remedied.
> _Useful links_:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> *Solution we suggest*
> We suggest generating a random default salt by SecureRandom class.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
