[ https://issues.apache.org/jira/browse/KAFKA-12306?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17280744#comment-17280744 ]
GeordieMai commented on KAFKA-12306: ------------------------------------ [~Vicky Zhang] hello . I think the hard-coded text `Password` is just a hint message . you can see here . https://github.com/a0x8o/kafka/blob/88ad7d1b7f816ddce65c3b4fa188c4781fe75b67/clients/src/main/java/org/apache/kafka/common/security/authenticator/SaslClientCallbackHandler.java#L68 > Avoid using plaintext/hard-coded key while generating secret key > ----------------------------------------------------------------- > > Key: KAFKA-12306 > URL: https://issues.apache.org/jira/browse/KAFKA-12306 > Project: Kafka > Issue Type: Improvement > Components: clients > Reporter: Vicky Zhang > Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Security Location:* > in file > kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramFormatter.java > line 58 and 76, new SecretKeySpec(key, algorithm) is invoked with hard-code > key, which is defined in file > kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java > line 127 -> 189. > *Security Impact:* > Cryptographic keys should not be kept in the source code. The source code can > be widely shared in an enterprise environment and is certainly shared in open > source. The use of a hard-coded cryptographic key significantly increases the > possibility that encrypted data may be recovered. > *suggestions:* > To be managed safely, passwords and secret keys should be stored in separate > configuration files. > Useful link: > [https://cwe.mitre.org/data/definitions/321.html] > [https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE] > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)