[jira] [Commented] (SLING-9418) Usage of SHA-256 is insecure

Thu, 07 May 2020 06:08:05 -0700 


    [ 
https://issues.apache.org/jira/browse/SLING-9418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17101654#comment-17101654
 ] 

Antonio Sanso commented on SLING-9418:
--------------------------------------

[~mahir.kabir] i resolved as invalid. Feel free to reopen should not agree. 
Your comments apply to hashing a password and this is not the case here.

> Usage of SHA-256 is insecure
> ----------------------------
>
>                 Key: SLING-9418
>                 URL: https://issues.apache.org/jira/browse/SLING-9418
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> *Vulnerability Description:* In 
> “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java”
>  file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to 
> MessageDigest.getInstance method.
> *Reason it’s vulnerable:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “SHA256 functions do not include a salt and a separate function must be used 
> to add the salt”. Another reference can be found 
> [here|https://dusted.codes/sha-256-is-not-a-secure-password-hashing-algorithm].
> *Suggested Fix:* According to 
> [this|https://securityboulevard.com/2019/07/insecure-default-password-hashing-in-cmss/],
>  “The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
> *Feedback:* Please select any of the options down below to help us get an 
> idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
>  
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull 
> request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to