You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@deltaspike.apache.org by "Thomas Andraschko (Jira)" <ji...@apache.org> on 2023/03/31 08:34:00 UTC
[jira] [Assigned] (DELTASPIKE-1406) Usage of "SHA-256" and "AES" is insecure
[ https://issues.apache.org/jira/browse/DELTASPIKE-1406?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Thomas Andraschko reassigned DELTASPIKE-1406:
---------------------------------------------
Assignee: Mark Struberg
> Usage of "SHA-256" and "AES" is insecure
> ----------------------------------------
>
> Key: DELTASPIKE-1406
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-1406
> Project: DeltaSpike
> Issue Type: Improvement
> Security Level: public(Regular issues)
> Reporter: Md Mahir Asef Kabir
> Assignee: Mark Struberg
> Priority: Major
>
> *Vulnerability Description:* In “deltaspike/core/impl/src/main/java/org/apache/deltaspike/core/impl/crypto/DefaultCipherService.java”, the following algorithms were set to use later -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-256";
> private static final String CIPHER_ALGORITHM = "AES";
> {code}
> Here, SHA-256 and AES are vulnerable.
> *Reason it’s vulnerable:* According to [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be broken.
> ”AES” is also not secure. For further reference, please follow [this|https://zachgrace.com/posts/attacking-ecb/]
> *Suggested Fix:* The secure algorithms to set would be -
> {code:java}
> private static final String HASH_ALGORITHM = "SHA-512";
> private static final String CIPHER_ALGORITHM = "AES/CFB/PKCS5Padding";
> {code}
> *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
> # Liked it and will make the suggested changes
> # Liked it but happy with the existing version
> # Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.20.10#820010)