You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Ying Zhang (Jira)" <ji...@apache.org> on 2021/02/06 02:40:00 UTC
[jira] [Created] (WICKET-6864) Avoid hardcoded salt and insuffcient
interation length in creating PBE
Ying Zhang created WICKET-6864:
----------------------------------
Summary: Avoid hardcoded salt and insuffcient interation length in creating PBE
Key: WICKET-6864
URL: https://issues.apache.org/jira/browse/WICKET-6864
Project: Wicket
Issue Type: Improvement
Reporter: Ying Zhang
We found a security vulnerability in file: [wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java |https://github.com/apache/wicket/pull/425/commits/7300bbcd728a5dd4a00a4873dcc9487b4a9d91fb#diff-d68bd6c44cc638d62652d647655385b8508dc0819e99b77f0b4d3257aab17bff]line 56, PBEParameterSpec use a hard-coded salt defined in line 53 and iteration = 17(defined in line 47)
*Security Impact*:
The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied. Also to achieve strong encryption, the iteration should be larger than 1000.
_Useful links_:
[https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
[https://cwe.mitre.org/data/definitions/760.html]
[http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count
*Solution we suggest*
We suggest generating a random default salt by SecureRandom class, set the iteration larger than 1000
*Please share with us your opinions/comments if there is any*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)