Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
9.2.0, 8.11.0
-
None
-
None
Description
We found a security vulnerability in file: wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java line 56, PBEParameterSpec use a hard-coded salt defined in line 53 and iteration = 17(defined in line 47)
Security Impact:
The salt is expected as a random string. A hardcoded salt may compromise system security in a way that cannot be easily remedied. Also to achieve strong encryption, the iteration should be larger than 1000.
Useful links:
https://cwe.mitre.org/data/definitions/760.html
http://www.crypto-it.net/eng/theory/pbe.html#part_salt
Solution we suggest
We suggest generating a random default salt by SecureRandom class, set the iteration larger than 1000
Please share with us your opinions/comments if there is any
Is the bug report helpful?