[jira] [Resolved] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

Bhavik Patel (Jira) Fri, 08 Apr 2022 02:34:04 -0700


     [ 
https://issues.apache.org/jira/browse/RANGER-3183?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Bhavik Patel resolved RANGER-3183.
----------------------------------
    Resolution: Not A Problem

iteration parameter is configurable, you can update the properties for your 
cluster.

> Avoid insufficient iteration length in creating PBE #882
> --------------------------------------------------------
>
>                 Key: RANGER-3183
>                 URL: https://issues.apache.org/jira/browse/RANGER-3183
>             Project: Ranger
>          Issue Type: Improvement
>          Components: Ranger
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
>
> We found a security vulnerability in file: 
> [https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java]
>  line 311, PBEParameterSpec used a iteration = 20
> Security Impact:
> To achieve strong encryption, the iteration should be larger than 1000.
> Useful links:
> [https://vulncat.fortify.com/en/detail?id=desc.semantic.cpp.weak_cryptographic_hash_hardcoded_pbe_salt]
> [https://cwe.mitre.org/data/definitions/760.html]
> [http://www.crypto-it.net/eng/theory/pbe.html#part_salt]
> [https://www.appmarq.com/public/tqi,1039022,CWE-916Cryptographic-HashAvoid-using-Insecure-PBE-Iteration-Count]
> Solution we suggest
> We suggest setting the iteration larger than 1000
> Please share with us your opinions/comments if there is any
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (RANGER-3183) Avoid insufficient iteration length in creating PBE #882

Reply via email to