Uploaded image for project: 'Sling'
  1. Sling
  2. SLING-9418

Usage of SHA-256 is insecure

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Invalid
    • None
    • None
    • None
    • None

    Description

      Vulnerability Description: In “src/main/java/org/apache/sling/discovery/base/connectors/ping/TopologyRequestValidator.java” file the following code was written in

      private String hash(String toHash)

      method -

      MessageDigest m = MessageDigest.getInstance("SHA-256");

      The vulnerability is, using "SHA-256” as the argument to MessageDigest.getInstance method.

      Reason it’s vulnerable: According to this, SHA256 can be broken.

      Suggested Fix: SHA512 can be used instead

      Feedback: Please select any of the options down below to help us get an idea about how you felt about the suggestion -

      1. Liked it and will make the suggested changes
      2. Liked it but happy with the existing version
      3. Didn’t find the suggestion helpful

       

      Note: Tagging stefanegli as suggested by rombert in this pull request.

      Attachments

        Activity

          People

            Unassigned Unassigned
            mahir.kabir Md Mahir Asef Kabir
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: