Description
We found a security vulnerability in file ranger/agents-common/src/main/java/org/apache/ranger/plugin/util/PasswordUtils.java. It allows a hardcoded salt "f77aLYLo" (at Line 54) passed to the PBE instantiation (at Line 79).
Security Impact:
The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied.
Useful links:
https://cwe.mitre.org/data/definitions/760.html
http://www.crypto-it.net/eng/theory/pbe.html#part_salt
Solution we suggest
We suggest generating a random default salt by SecureRandom class.
Please share with us your opinions/comments if there is any
Is the bug report helpful?