[
https://issues.apache.org/jira/browse/IGNITE-14004?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270793#comment-17270793
]
Ya Xiao commented on IGNITE-14004:
----------------------------------
Thank you so much for replying. We are a security research team at Virginia
Tech. Actually, we are doing an empirical study about the usefulness of the
existing security vulnerability detection tools. The reported one is what we
got from certain tools.
We'll so appreciate it if you can give us some information about the following
questions. Your feedback is important for us to help improve the
state-of-the-art.
1. To fix the vulnerabilities, What kind of supports do you expect from a
useful bug detector? Take the reported case as an example, do you think a
customized code fixing suggestions are required or some code examples can help?
2. What kind of bug checker/vulnerability detection tools you are using?
Do you think they are helpful?
3. Are there any types of bugs/security vulnerabilities you want the
detection tools to pay more attention to? Or any expected features of the
detection tools?
> Customized TrustManager bypasses certificate verification
> ---------------------------------------------------------
>
> Key: IGNITE-14004
> URL: https://issues.apache.org/jira/browse/IGNITE-14004
> Project: Ignite
> Issue Type: Bug
> Components: clients, control.sh, security
> Reporter: Ya Xiao
> Priority: Critical
> Labels: security
>
> We found a security vulnerability in file
> [ignite/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java|https://github.com/apache/ignite/blob/be3072ff278a2542e41d008b5379473867df3814/modules/core/src/main/java/org/apache/ignite/internal/client/ssl/GridSslBasicContextFactory.java].
> The customized TrustManger (at Line 502) allows all certificates to pass the
> verification.
> *Security Impact*:
> The checkClientTrusted and checkServerTrusted methods are expected to
> implement the certificate validation logic. Bypassing it could allow
> man-in-the-middle attacks.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/295.html]
> [https://developer.android.com/training/articles/security-ssl|https://developer.android.com/training/articles/security-ssl#SelfSigned]
> *Solution we suggest:*
> Do not customize the TrustManger or specify the certificate validation logic
> instead of allowing all certificates. See
> [here|https://developer.android.com/training/articles/security-ssl] to
> securely allow self-signed certificates and other common cases.
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
