You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@kylin.apache.org by "Xiaoxiang Yu (Jira)" <ji...@apache.org> on 2020/07/10 12:21:00 UTC

[jira] [Closed] (KYLIN-4477) Usage of "TLS" is insecure

     [ https://issues.apache.org/jira/browse/KYLIN-4477?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Xiaoxiang Yu closed KYLIN-4477.
-------------------------------

Resolved in release 3.1.0 (2020-07-03)

> Usage of "TLS" is insecure
> --------------------------
>
>                 Key: KYLIN-4477
>                 URL: https://issues.apache.org/jira/browse/KYLIN-4477
>             Project: Kylin
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Assignee: Md Mahir Asef Kabir
>            Priority: Major
>             Fix For: v3.1.0
>
>
> *Vulnerability Description:* In “engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java” file the following code was written in
> {code:java}
> private static SSLContext createEasySSLContext()
> {code}
> method -
> {code:java}
> SSLContext context = SSLContext.getInstance("TLS");
> {code}
> The vulnerability is, using "TLS” as the argument to SSLContext.getInstance method.
> *Reason it’s vulnerable:* TLS 1.0 is vulnerable to man-in-the-middle attacks. For further reference, follow [this|https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php].
> *Suggested Fix:* Using
> {code:java}
> SSLContext.getInstance("TLSv1.3").
> {code}
> *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)