Demetrius Tsitrelis created CLOUDSTACK-8015:
-----------------------------------------------
Summary: Password-based encryption in database uses insecure MD5
and DES algorithms
Key: CLOUDSTACK-8015
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8015
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: Management Server
Reporter: Demetrius Tsitrelis
The DBEncryptionUtil and EncryptionSecretKeyChecker classes use a key derived
from a password-based encryption class instance. This instance has not been
initialized to use multiple iterations of the selected hash which would make it
much more difficult for an attacker. Also, the encryption algorithm chosen is
DES which is now known to be weak.
Mitigation:
Use at least 1000 iterations by using the
StandardPBEStringEncryptor.setKeyObtentionIterations() method.
Invoke the setAlgorithm() method to use an alternative such as
PBEWITHSHA256AND128BITAES-CBC-BC instead of PBEWithMD5AndDES. See, for example,
http://www.jasypt.org/bouncy-castle.html
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
