You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@sling.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2020/05/15 01:57:00 UTC

[jira] [Comment Edited] (SLING-9418) Usage of SHA-256 is insecure

    [ https://issues.apache.org/jira/browse/SLING-9418?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17107839#comment-17107839 ] 

Md Mahir Asef Kabir edited comment on SLING-9418 at 5/15/20, 1:56 AM:
----------------------------------------------------------------------

[~asanso] thanks, I will reopen the issue if I find anything important. Meanwhile, I made a small change in the issue description for future usage.


was (Author: mahir.kabir):
[~asanso] thanks, I will reopen if the issue if I find anything important. Meanwhile, I made a small change in the issue description for future usage.

> Usage of SHA-256 is insecure
> ----------------------------
>
>                 Key: SLING-9418
>                 URL: https://issues.apache.org/jira/browse/SLING-9418
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> *Vulnerability Description:* In “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java” file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to MessageDigest.getInstance method.
> *Reason it’s vulnerable:* According to [this|https://soylentnews.org/article.pl?sid=19/09/10/2351241], SHA256 can be broken.
> *Suggested Fix:* SHA512 can be used instead 
> *Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
>  
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull request.|https://github.com/apache/sling-org-apache-sling-discovery-base/pull/1]



--
This message was sent by Atlassian Jira
(v8.3.4#803005)