[
https://issues.apache.org/jira/browse/KYLIN-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Shao Feng Shi closed KYLIN-4479.
--------------------------------
Resolution: Duplicate
> Usage of "AES/ECB/PKCS5Padding" is insecure
> -------------------------------------------
>
> Key: KYLIN-4479
> URL: https://issues.apache.org/jira/browse/KYLIN-4479
> Project: Kylin
> Issue Type: Improvement
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> *Vulnerability Description:* In
> “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java”
> file the following code was written in public static String encrypt(String
> strToEncrypt) method & public static String decrypt(String strToDecrypt)
> method -
> {code:java}
> Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
> {code}
> The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to
> Cipher.getInstance method.
> *Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further
> reference, please follow [this | https://zachgrace.com/posts/attacking-ecb].
> *Suggested Fix:* Using
> {code:java}
> Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
> {code}
> *Feedback:* Please select any of the options down below to help us get an
> idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
