Uploaded image for project: 'Kylin'
  1. Kylin
  2. KYLIN-4478

Usage of "AES/ECB/PKCS5Padding" is insecure

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: v3.1.0
    • Component/s: None
    • Labels:
      None
    • Sprint:
      Sprint 52

      Description

      Vulnerability Description: In “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file the following code was written in public static String encrypt(String strToEncrypt) method -

      Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");
      

      The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to Cipher.getInstance method.

      Reason it’s vulnerable: ”AES/ECB/PKCS5Padding” is not secure. For further reference, follow this.

      Suggested Fix: Using

      Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
      

      Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -

      1. Liked it and will make the suggested changes
      2. Liked it but happy with the existing version
      3. Didn’t find the suggestion helpful

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                mahir.kabir Md Mahir Asef Kabir
                Reporter:
                mahir.kabir Md Mahir Asef Kabir
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: