[FELIX-5934] The Felix Web Console stores unsalted hashed password - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: webconsole-4.3.10
Component/s: Web Console
Labels:
None

Description

The Felix Web Console currently stores unsalted hashed password [0]

This violates common security hygiene and industry standard.

The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. Argon2 or PBKDF2 . See [1]

[0]https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167

[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet

Attachments

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

FELIX-5934-patch.txt
15/Oct/18 11:13
12 kB
Antonio Sanso

Issue Links

relates to

FELIX-5985 Change the hardcoded WebConsole password

Open

Activity

People

Assignee:: Carsten Ziegeler

Reporter:: Antonio Sanso

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Dates

Created:: 21/Sep/18 06:06

Updated:: 20/May/19 11:30

Resolved:: 13/Nov/18 10:38