[
https://issues.apache.org/jira/browse/PHOENIX-6369?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Geoffrey Jacoby resolved PHOENIX-6369.
--------------------------------------
Resolution: Duplicate
See the discussion on PHOENIX-4702, when a different user reported use of MD5
within the Phoenix code base. To sum up, Phoenix does not use MD5 as a
cryptographic hash. It provides MD5 as a SQL function that users can call, and
it uses it internally as part of the old index scrutiny tool.
It would be a useful future feature to provide a more robust, modern
cryptographic hash as a SQL function in Phoenix.
> Usage of broken hash algorithm detected
> ---------------------------------------
>
> Key: PHOENIX-6369
> URL: https://issues.apache.org/jira/browse/PHOENIX-6369
> Project: Phoenix
> Issue Type: Improvement
> Reporter: Md Mahir Asef Kabir
> Priority: Major
>
> In file
> [https://github.com/apache/phoenix/blob/7987a74e6cea1103a028e128f98e2fb3c2252b82/phoenix-core/src/main/java/org/apache/phoenix/expression/function/MD5Function.java]
> (at Line 42) "md5" algorithm has been used.
> *Security Impact*:
> The MD5 Message-Digest Algorithm is not collision-resistant, which makes it
> easier for context-dependent attackers to conduct spoofing attacks
> *Useful Resources*:
> https://www.cvedetails.com/cve/CVE-2004-2761/
> *Solution we suggest*:
> Use Sha >= 256 algorithms instead
> *Please share with us your opinions/comments if there is any*:
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
