[ https://issues.apache.org/jira/browse/DIRSERVER-2338?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Colm O hEigeartaigh resolved DIRSERVER-2338. -------------------------------------------- Resolution: Fixed > Using a static IV in symmetric encryption with CBC mode > ------------------------------------------------------- > > Key: DIRSERVER-2338 > URL: https://issues.apache.org/jira/browse/DIRSERVER-2338 > Project: Directory ApacheDS > Issue Type: Improvement > Reporter: Ya Xiao > Assignee: Colm O hEigeartaigh > Priority: Major > Labels: patch, security > Fix For: 2.0.0.AM27 > > > *Vulnerability Description* > In file > [directory-server/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java|[https://github.com/apache/directory-server/blob/master/kerberos-codec/src/main/java/org/apache/directory/server/kerberos/shared/crypto/encryption/DesCbcCrcEncryption.java],] > a hardcoded IV (at Line 161) is used to initialize the cipher (at Line 165, > Line 169). > *Security Impact:* > The IV of CBC mode is expected to be random. The static IV makes the > resulting ciphertext much more predictable and susceptible to a dictionary > attack. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html|https://cwe.mitre.org/data/definitions/329.html] > *Solution we suggest* > Generate the IV bytes through SecureRandom. > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org For additional commands, e-mail: dev-h...@directory.apache.org