Uploaded image for project: 'Kylin'
  1. Kylin
  2. KYLIN-4478

Usage of "AES/ECB/PKCS5Padding" is insecure

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • None
    • v3.1.0
    • None
    • None
    • Sprint 52

    Description

      Vulnerability Description: In “core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java” file the following code was written in public static String encrypt(String strToEncrypt) method - 

      Cipher cipher = Cipher.getInstance("AES/ECB/PKCS5Padding");

      The vulnerability is, using "AES/ECB/PKCS5Padding” as the argument to Cipher.getInstance method.

      Reason it’s vulnerable: ”AES/ECB/PKCS5Padding” is not secure. For further reference, follow this.

      Suggested Fix: Using 

      Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");

      Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -

      1. Liked it and will make the suggested changes
      2. Liked it but happy with the existing version
      3. Didn’t find the suggestion helpful

      Attachments

        Issue Links

          is duplicated by

          Improvement - An improvement or enhancement to an existing feature or task. KYLIN-4479 Usage of "AES/ECB/PKCS5Padding" is insecure

          • Major - Major loss of function.
          • Closed

          Activity

            People

              mahir.kabir Md Mahir Asef Kabir
              mahir.kabir Md Mahir Asef Kabir
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: