[ https://issues.apache.org/jira/browse/KYLIN-4479?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Shao Feng Shi closed KYLIN-4479. -------------------------------- Resolution: Duplicate > Usage of "AES/ECB/PKCS5Padding" is insecure > ------------------------------------------- > > Key: KYLIN-4479 > URL: https://issues.apache.org/jira/browse/KYLIN-4479 > Project: Kylin > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Priority: Major > > *Vulnerability Description:* In > “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” > file the following code was written in public static String encrypt(String > strToEncrypt) method & public static String decrypt(String strToDecrypt) > method - > {code:java} > Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding"); > {code} > The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to > Cipher.getInstance method. > *Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further > reference, please follow [this | https://zachgrace.com/posts/attacking-ecb]. > *Suggested Fix:* Using > {code:java} > Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding"); > {code} > *Feedback:* Please select any of the options down below to help us get an > idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn’t find the suggestion helpful -- This message was sent by Atlassian Jira (v8.3.4#803005)