[CASSANDRA-16990] Update jbcrypt library to 0.4 from 0.3m to resolve CVE-2015-0886 - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Task
Status: Resolved
Priority: Normal
Resolution: Duplicate
Fix Version/s: 3.0.26, 3.11.12, 4.0.2, 4.1-alpha1, 4.1
Component/s: Dependencies
Labels:
None

Change Category:
Operability
Complexity:
Low Hanging Fruit
Platform:

All
Impacts:

None

Description

We are using jbcrypto of version 0.3m across all versions, this version of the library was never changed since 1.1.2.

In 0.3m they found out this (1) and (2, 3 for better explanation / reference)

I think we are affected by this, it is possible to set 31 rounds here (4) which would hit the same same logic afteward these tickets are talking about.

1) https://nvd.nist.gov/vuln/detail/CVE-2015-0886

2) http://www.mindrot.org/projects/jBCrypt/news/rel04.html

3) https://bugzilla.mindrot.org/show_bug.cgi?id=2097

4) https://github.com/apache/cassandra/blob/trunk/src/java/org/apache/cassandra/auth/CassandraRoleManager.java#L105-L117

I hence propose to update the library to 0.4 where this is fixed.

Attachments

Issue Links

duplicates

CASSANDRA-9384 Update jBCrypt dependency to version 0.4

Resolved

Activity

People

Assignee:: Stefan Miklosovic

Reporter:: Stefan Miklosovic

Authors:: Stefan Miklosovic

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 24/Sep/21 09:40

Updated:: 16/Dec/22 21:56

Resolved:: 24/Sep/21 11:46