You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@kylin.apache.org by "Md Mahir Asef Kabir (Jira)" <ji...@apache.org> on 2020/05/04 01:58:00 UTC

[jira] [Created] (KYLIN-4478) Usage of "AES/ECB/PKCS5Padding" is insecure

Md Mahir Asef Kabir created KYLIN-4478:
------------------------------------------

             Summary: Usage of "AES/ECB/PKCS5Padding" is insecure
                 Key: KYLIN-4478
                 URL: https://issues.apache.org/jira/browse/KYLIN-4478
             Project: Kylin
          Issue Type: Improvement
            Reporter: Md Mahir Asef Kabir


*Vulnerability Description:* In “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file the following code was written in public static String encrypt(String strToEncrypt) method - 


{code:java}
Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
{code}


The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to Cipher.getInstance method.


*Reason it’s vulnerable:* ”AES/ECB/PKCS5Padding” is not secure. For further reference, follow [this|https://zachgrace.com/posts/attacking-ecb/].


*Suggested Fix:* Using 

{code:java}
Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
{code}



*Feedback:* Please select any of the options down below to help us get an idea about how you felt about the suggestion - 

# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful



--
This message was sent by Atlassian Jira
(v8.3.4#803005)