Details
-
Improvement
-
Status: Closed
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
-
Sprint 52
Description
Vulnerability Description: In “engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java” file the following code was written in
private static SSLContext createEasySSLContext()
method -
SSLContext context = SSLContext.getInstance("TLS");
The vulnerability is, using "TLS” as the argument to SSLContext.getInstance method.
Reason it’s vulnerable: TLS 1.0 is vulnerable to man-in-the-middle attacks. For further reference, follow this.
Suggested Fix: Using
SSLContext.getInstance("TLSv1.3").
Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -
- Liked it and will make the suggested changes
- Liked it but happy with the existing version
- Didn’t find the suggestion helpful