[
https://issues.apache.org/jira/browse/WICKET-6864?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrea Del Bene resolved WICKET-6864.
-------------------------------------
Resolution: Fixed
> Avoid hardcoded salt and insuffcient interation length in creating PBE
> ----------------------------------------------------------------------
>
> Key: WICKET-6864
> URL: https://issues.apache.org/jira/browse/WICKET-6864
> Project: Wicket
> Issue Type: Improvement
> Affects Versions: 9.2.0, 8.11.0
> Reporter: Vicky Zhang
> Priority: Major
> Fix For: 9.3.0
>
>
> We found a security vulnerability in file:
> [wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java
> |https://github.com/apache/wicket/pull/425/commits/7300bbcd728a5dd4a00a4873dcc9487b4a9d91fb#diff-d68bd6c44cc638d62652d647655385b8508dc0819e99b77f0b4d3257aab17bff]line
> 56, PBEParameterSpec use a hard-coded salt defined in line 53 and iteration
> = 17(defined in line 47)
> *Security Impact*:
> The salt is expected as a random string. A hardcoded salt may compromise
> system security in a way that cannot be easily remedied. Also to achieve
> strong encryption, the iteration should be larger than 1000.
> _Useful links_:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count
> *Solution we suggest*
> We suggest generating a random default salt by SecureRandom class, set the
> iteration larger than 1000
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
