[ https://issues.apache.org/jira/browse/WICKET-6864?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrea Del Bene resolved WICKET-6864. ------------------------------------- Resolution: Fixed > Avoid hardcoded salt and insuffcient interation length in creating PBE > ---------------------------------------------------------------------- > > Key: WICKET-6864 > URL: https://issues.apache.org/jira/browse/WICKET-6864 > Project: Wicket > Issue Type: Improvement > Affects Versions: 9.2.0, 8.11.0 > Reporter: Vicky Zhang > Priority: Major > Fix For: 9.3.0 > > > We found a security vulnerability in file: > [wicket-util/src/main/java/org/apache/wicket/util/crypt/SunJceCrypt.java > |https://github.com/apache/wicket/pull/425/commits/7300bbcd728a5dd4a00a4873dcc9487b4a9d91fb#diff-d68bd6c44cc638d62652d647655385b8508dc0819e99b77f0b4d3257aab17bff]line > 56, PBEParameterSpec use a hard-coded salt defined in line 53 and iteration > = 17(defined in line 47) > *Security Impact*: > The salt is expected as a random string. A hardcoded salt may compromise > system security in a way that cannot be easily remedied. Also to achieve > strong encryption, the iteration should be larger than 1000. > _Useful links_: > [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt] > [https://cwe.mitre.org/data/definitions/760.html] > [http://www.crypto-it.net/eng/theory/pbe.html#part_salt] > https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count > *Solution we suggest* > We suggest generating a random default salt by SecureRandom class, set the > iteration larger than 1000 > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)