Uploaded image for project: 'Wicket'
  1. Wicket
  2. WICKET-6864

Avoid hardcoded salt and insuffcient interation length in creating PBE

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 9.2.0, 8.11.0
    • 9.3.0
    • None
    • None

    Description

      We found a security vulnerability in file: wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java line 56,  PBEParameterSpec use a hard-coded salt defined in line 53 and iteration = 17(defined in line 47)

      Security Impact:

      The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied. Also to achieve strong encryption, the iteration should be larger than 1000. 

      Useful links:

      https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt

      https://cwe.mitre.org/data/definitions/760.html

      http://www.crypto-it.net/eng/theory/pbe.html#part_salt

      https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count

      Solution we suggest

      We suggest generating a random default salt by SecureRandom class, set the iteration larger than 1000

      Please share with us your opinions/comments if there is any

      Is the bug report helpful?

      Attachments

        Activity

          People

            Unassigned Unassigned
            Vicky Zhang Vicky Zhang
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: