Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-3151

Avoid hardcoded salt in creating PBE

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Open
    • Major
    • Resolution: Unresolved
    • None
    • None
    • Ranger
    • Patch

    Description

      We found a security vulnerability in file ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java. It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE instantiation (at Line 79). 

      Security Impact:

      The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied.

      Useful links:

      https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt

      https://cwe.mitre.org/data/definitions/760.html

      http://www.crypto-it.net/eng/theory/pbe.html#part_salt

      Solution we suggest

      We suggest generating a random default salt by SecureRandom class.

      Please share with us your opinions/comments if there is any

      Is the bug report helpful?

      Attachments

        Activity

          People

            Unassigned Unassigned
            yaxiao Ya Xiao
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated: