You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@ranger.apache.org by "Dhaval Shah (Jira)" <ji...@apache.org> on 2021/01/21 16:06:00 UTC
[jira] [Comment Edited] (RANGER-3151) Avoid hardcoded salt in
creating PBE
[ https://issues.apache.org/jira/browse/RANGER-3151?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17269405#comment-17269405 ]
Dhaval Shah edited comment on RANGER-3151 at 1/21/21, 4:05 PM:
---------------------------------------------------------------
Hi [~yaxiao],
We use default hard coded salt only if supplied password string is empty, null or length < 4. Otherwise we create salt from password string only.
[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L97]
Thanks
was (Author: dhavalshah9131):
Hi [~yaxiao],
We use default hard coded salt only if supplied password string is empty, null or length < 4. Otherwise we create salt from password string only.
[https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java#L97]
{code:java}
if (crypt_algo_array != null && crypt_algo_array.length > 4) {
{code}
Thanks.
> Avoid hardcoded salt in creating PBE
> ------------------------------------
>
> Key: RANGER-3151
> URL: https://issues.apache.org/jira/browse/RANGER-3151
> Project: Ranger
> Issue Type: Improvement
> Components: Ranger
> Reporter: Ya Xiao
> Priority: Major
> Labels: patch, security
>
> We found a security vulnerability in file [ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java|https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java]. It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE instantiation (at Line 79).
> *Security Impact*:
> The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied.
> _Useful links_:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> *Solution we suggest*
> We suggest generating a random default salt by SecureRandom class.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)