You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cloudstack.apache.org by GitBox <gi...@apache.org> on 2021/02/15 17:48:41 UTC
[GitHub] [cloudstack] Mahir92 opened a new issue #4694: Usage of "AES/CBC/PKCS5Padding" is insecure
Mahir92 opened a new issue #4694:
URL: https://github.com/apache/cloudstack/issues/4694
In file https://github.com/apache/cloudstack/blob/0f3f2a09370a18301db28ec3d28efe746b6437c9/services/console-proxy/server/src/main/java/com/cloud/consoleproxy/ConsoleProxyPasswordBasedEncryptor.java (at Line 61), insecure "AES/CBC/PKCS5Padding" was used for encryption.
Security Impact:
Cipher Block Chaining (CBC) with PKCS#5 padding (or PKCS#7) is susceptible to padding oracle attacks
Useful Resources:
https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4432
Solution we suggest:
Use GCM mode instead of ECB mode.
Please share with us your opinions/comments if there is any:
Is the bug report helpful?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [cloudstack] DaanHoogland commented on issue #4694: Usage of "AES/CBC/PKCS5Padding" is insecure
Posted by GitBox <gi...@apache.org>.
DaanHoogland commented on issue #4694:
URL: https://github.com/apache/cloudstack/issues/4694#issuecomment-779865514
> Is the bug report helpful?
Do you have an exploit or a mitigation, @Mahir92 ?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org