You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@ignite.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 19:12:00 UTC
[jira] [Updated] (IGNITE-14135) Avoid using plaintext Keystore
password in source code
[ https://issues.apache.org/jira/browse/IGNITE-14135?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ying Zhang updated IGNITE-14135:
--------------------------------
Description:
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
*Vulnerability Location:*
in file modules/core/src/main/java/org/apache/ignite/spi/encryption/keystore/KeystoreEncryptionSpi.java, line 482 invoke keystore.load() with *keystorePwd*, which is called in docs/_docs/code-snippets/java/src/main/java/org/apache/ignite/snippets/TDE.java line 37 with a constant value "secret".
*Security Impact:*
Keystore password should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. The product transmits or stores authentication credentials, but it uses an insecure way that is susceptible to unauthorized interception and/or retrieval.
*suggestions:*
To be managed safely, passwords or secret keys should be stored in separate configuration files or keystores. The Keystore password is better to load from the locally set files instead of directly set in the code.
Useful link:
[https://cwe.mitre.org/data/definitions/321.html]
[https://cwe.mitre.org/data/definitions/522.html]
[https://www.baeldung.com/java-keystore]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
was:We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
> Avoid using plaintext Keystore password in source code
> --------------------------------------------------------
>
> Key: IGNITE-14135
> URL: https://issues.apache.org/jira/browse/IGNITE-14135
> Project: Ignite
> Issue Type: Improvement
> Reporter: Ying Zhang
> Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
> *Vulnerability Location:*
> in file modules/core/src/main/java/org/apache/ignite/spi/encryption/keystore/KeystoreEncryptionSpi.java, line 482 invoke keystore.load() with *keystorePwd*, which is called in docs/_docs/code-snippets/java/src/main/java/org/apache/ignite/snippets/TDE.java line 37 with a constant value "secret".
> *Security Impact:*
> Keystore password should not be kept in the source code. The source code can be widely shared in an enterprise environment, and is certainly shared in open source. The product transmits or stores authentication credentials, but it uses an insecure way that is susceptible to unauthorized interception and/or retrieval.
> *suggestions:*
> To be managed safely, passwords or secret keys should be stored in separate configuration files or keystores. The Keystore password is better to load from the locally set files instead of directly set in the code.
> Useful link:
> [https://cwe.mitre.org/data/definitions/321.html]
> [https://cwe.mitre.org/data/definitions/522.html]
> [https://www.baeldung.com/java-keystore]
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)