Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
Patch
Description
Vulnerability Description
In file [directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java,] a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165, Line 169).
Security Impact:
The IV of CBC mode is expected to be random. The static IV makes the resulting ciphertext much more predictable and susceptible to a dictionary attack.
Useful Resources:
https://cwe.mitre.org/data/definitions/338.html
Solution we suggest
Generate the IV bytes through SecureRandom.
Please share with us your opinions/comments if there is any
Is the bug report helpful?