[jira] [Created] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

Md Mahir Asef Kabir (Jira) Mon, 15 Feb 2021 09:19:22 -0800

Md Mahir Asef Kabir created RANGER-3183:
-------------------------------------------


             Summary: Avoid insufficient iteration length in creating PBE #882
                 Key: RANGER-3183
                 URL: https://issues.apache.org/jira/browse/RANGER-3183
             Project: Ranger
          Issue Type: Improvement
          Components: Ranger
            Reporter: Md Mahir Asef Kabir


We found a security vulnerability in file: 
[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java]
 line 311, PBEParameterSpec used a iteration = 20

Security Impact:

To achieve strong encryption, the iteration should be larger than 1000.

Useful links:

[https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]

[https://cwe.mitre.org/data/definitions/760.html]

[http://www.crypto-it.net/eng/theory/pbe.html#part_salt]

[https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count]

Solution we suggest

We suggest setting the iteration larger than 1000

Please share with us your opinions/comments if there is any

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Created] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

Reply via email to