Md Mahir Asef Kabir created KYLIN-4477:
------------------------------------------
Summary: Usage of "TLS" is insecure
Key: KYLIN-4477
URL: https://issues.apache.org/jira/browse/KYLIN-4477
Project: Kylin
Issue Type: Improvement
Reporter: Md Mahir Asef Kabir
*Vulnerability Description:* In
“engine-mr/src/main/java/org/apache/kylin/engine/mr/common/DefaultSslProtocolSocketFactory.java”
file the following code was written in
{code:java}
private static SSLContext createEasySSLContext()
{code}
method -
{code:java}
SSLContext context = SSLContext.getInstance("TLS");
{code}
The vulnerability is, using "TLS” as the argument to SSLContext.getInstance
method.
*Reason it’s vulnerable:* TLS 1.0 is vulnerable to man-in-the-middle attacks.
For further reference, follow
[this|https://www.comodo.com/e-commerce/ssl-certificates/tls-1-deprecation.php].
*Suggested Fix:* Using
{code:java}
SSLContext.getInstance("TLSv1.3").
{code}
*Feedback:* Please select any of the options down below to help us get an idea
about how you felt about the suggestion -
# Liked it and will make the suggested changes
# Liked it but happy with the existing version
# Didn’t find the suggestion helpful
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
