[jira] [Updated] (JAMES-2201) Vulnerable to SHAttered attack

Sun, 22 Oct 2017 21:33:18 -0700 

     [ 
https://issues.apache.org/jira/browse/JAMES-2201?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Thibaut SAUTEREAU updated JAMES-2201:
-------------------------------------
    Description: 
Given the way SHA-1 is used to index attachments, it is vulnerable to the 
SHAttered attack (https://shattered.io/), meaning you can overwrite the 
attachment of a first email with a second email).

It is not critical yet as it took a lot of computational power from Google to 
generate those 2 PDFs, but this issue will probably become widespread in coming 
years and I think switching to SHA-256 for instance is a low hanging fruit.

The same problem arises with Cassandra blob IDs.

  was:
Given the way SHA-1 is used to index attachments, it is vulnerable to the 
SHAttered attack (https://shattered.io/), meaning you can overwrite the 
attachment of a first email with a second email).

It is not critical yet as it took a lot of computational power from Google to 
generate those 2 PDFs, but this issue will probably become widespread in coming 
years and I think switching to SHA-256 for instance is a low hanging fruit


> Vulnerable to SHAttered attack
> ------------------------------
>
>                 Key: JAMES-2201
>                 URL: https://issues.apache.org/jira/browse/JAMES-2201
>             Project: James Server
>          Issue Type: Bug
>          Components: mailbox
>    Affects Versions: master
>            Reporter: Thibaut SAUTEREAU
>            Priority: Minor
>             Fix For: master
>
>
> Given the way SHA-1 is used to index attachments, it is vulnerable to the 
> SHAttered attack (https://shattered.io/), meaning you can overwrite the 
> attachment of a first email with a second email).
> It is not critical yet as it took a lot of computational power from Google to 
> generate those 2 PDFs, but this issue will probably become widespread in 
> coming years and I think switching to SHA-256 for instance is a low hanging 
> fruit.
> The same problem arises with Cassandra blob IDs.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to