[
https://issues.apache.org/jira/browse/DIRSERVER-2338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Colm O hEigeartaigh resolved DIRSERVER-2338.
--------------------------------------------
Resolution: Fixed
> Using a static IV in symmetric encryption with CBC mode
> -------------------------------------------------------
>
> Key: DIRSERVER-2338
> URL: https://issues.apache.org/jira/browse/DIRSERVER-2338
> Project: Directory ApacheDS
> Issue Type: Improvement
> Reporter: Ya Xiao
> Assignee: Colm O hEigeartaigh
> Priority: Major
> Labels: patch, security
> Fix For: 2.0.0.AM27
>
>
> *Vulnerability Description*
> In file
> [directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|[https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java],]
> a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165,
> Line 169).
> *Security Impact:*
> The IV of CBC mode is expected to be random. The static IV makes the
> resulting ciphertext much more predictable and susceptible to a dictionary
> attack.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html|https://cwe.mitre.org/data/definitions/329.html]
> *Solution we suggest*
> Generate the IV bytes through SecureRandom.
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
