Md Mahir Asef Kabir created SLING-9418:
------------------------------------------
Summary: Usage of SHA-256 is insecure
Key: SLING-9418
URL: https://issues.apache.org/jira/browse/SLING-9418
Project: Sling
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
*Vulnerability Description:* In
“src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java”
file the following code was written in
{code:java}
private String hash(String toHash){code}
method -
{code:java}
MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
The vulnerability is, using "SHA-256” as the argument to
MessageDigest.getInstance method.
*Reason it’s vulnerable:* According to
[this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
“SHA256 functions do not include a salt and a separate function must be used
to add the salt”. Another reference can be found
[here|https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm].
*Suggested Fix:* According to
[this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
“The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
*Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull
request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
