You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Bhavik Patel (Jira)" <ji...@apache.org> on 2022/04/08 09:34:00 UTC
[jira] [Resolved] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882
[ https://issues.apache.org/jira/browse/RANGER-3183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Bhavik Patel resolved RANGER-3183.
----------------------------------
Resolution: Not A Problem
iteration parameter is configurable, you can update the properties for your cluster.
> Avoid insufficient iteration length in creating PBE #882
> --------------------------------------------------------
>
> Key: RANGER-3183
> URL: https://issues.apache.org/jira/browse/RANGER-3183
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> We found a security vulnerability in file: [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java] line 311, PBEParameterSpec used a iteration = 20
> Security Impact:
> To achieve strong encryption, the iteration should be larger than 1000.
> Useful links:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> [https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count]
> Solution we suggest
> We suggest setting the iteration larger than 1000
> Please share with us your opinions/comments if there is any
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.20.1#820001)