You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@wicket.apache.org by "ASF subversion and git services (Jira)" <ji...@apache.org> on 2021/02/07 14:52:00 UTC

[jira] [Commented] (WICKET-6864) Avoid hardcoded salt and insuffcient interation length in creating PBE

    [ https://issues.apache.org/jira/browse/WICKET-6864?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280548#comment-17280548 ] 

ASF subversion and git services commented on WICKET-6864:
---------------------------------------------------------

Commit 7bc47ec03cbbf273570ae72b535fa4663024737e in wicket's branch refs/heads/WICKET-6864-crypt-enhancement from Sven Meier
[ https://gitbox.apache.org/repos/asf?p=wicket.git;h=7bc47ec ]

WICKET-6864 updated crypt configuration

to recommended standards


> Avoid hardcoded salt and insuffcient interation length in creating PBE
> ----------------------------------------------------------------------
>
>                 Key: WICKET-6864
>                 URL: https://issues.apache.org/jira/browse/WICKET-6864
>             Project: Wicket
>          Issue Type: Improvement
>            Reporter: Vicky Zhang
>            Priority: Major
>
> We found a security vulnerability in file: [wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java |https://github.com/apache/wicket/pull/425/commits/7300bbcd728a5dd4a00a4873dcc9487b4a9d91fb#diff-d68bd6c44cc638d62652d647655385b8508dc0819e99b77f0b4d3257aab17bff]line 56,  PBEParameterSpec use a hard-coded salt defined in line 53 and iteration = 17(defined in line 47)
> *Security Impact*:
> The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied. Also to achieve strong encryption, the iteration should be larger than 1000. 
> _Useful links_:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count
> *Solution we suggest*
> We suggest generating a random default salt by SecureRandom class, set the iteration larger than 1000
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)