You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/04/08 09:34:00 UTC

[jira] [Resolved] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

     [ https://issues.apache.org/jira/browse/RANGER-3183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Bhavik Patel resolved RANGER-3183.
----------------------------------
    Resolution: Not A Problem

iteration parameter is configurable, you can update the properties for your cluster.

> Avoid insufficient iteration length in creating PBE #882
> --------------------------------------------------------
>
>                 Key: RANGER-3183
>                 URL: https://issues.apache.org/jira/browse/RANGER-3183
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> We found a security vulnerability in file: [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java] line 311, PBEParameterSpec used a iteration = 20
> Security Impact:
> To achieve strong encryption, the iteration should be larger than 1000.
> Useful links:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> [https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count]
> Solution we suggest
> We suggest setting the iteration larger than 1000
> Please share with us your opinions/comments if there is any
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)