You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@kylin.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2020/05/04 02:12:00 UTC
[jira] [Created] (KYLIN-4479) Usage of "AES/ECB/PKCS5Padding" is
insecure
Md Mahir Asef Kabir created KYLIN-4479:
------------------------------------------
Summary: Usage of "AES/ECB/PKCS5Padding" is insecure
Key: KYLIN-4479
URL: https://issues.apache.org/jira/browse/KYLIN-4479
Project: Kylin
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
*Vulnerability Description:* In “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file the following code was written in public static String encrypt(String strToEncrypt) method & public static String decrypt(String strToDecrypt) method -
{code:java}
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
{code}
The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to Cipher.getInstance method.
*Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further reference, please follow [this | https://zachgrace.com/posts/attacking-ecb].
*Suggested Fix:* Using
{code:java}
Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
{code}
*Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)