[PDFBOX-5798] Observable Timing Discrepancy (Timing Attack) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 2.0.31, 3.0.2 PDFBox, 4.0.0
Fix Version/s: 2.0.32, 3.0.3 PDFBox, 4.0.0
Component/s: Crypto
Labels:
None

Description

A static analyse tool is reporting:

An attacker can guess the secret value of digest because it is compared using java.util.Arrays.equals, which is vulnerable to timing attacks. Use java.security.MessageDigest.isEqual to compare values securely.
‎pdfbox/src/main/java/org/apache/pdfbox/pdmodel/encryption/StandardSecurityHandler.java

Attachments

Activity

People

Assignee:: Tilman Hausherr

Reporter:: Simon Steiner

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 03/Apr/24 12:08

Updated:: 03/Apr/24 14:49

Resolved:: 03/Apr/24 14:49