sling-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Oliver Lietz (Jira)" <>
Subject [jira] [Commented] (SLING-9418) Usage of SHA-256 is insecure
Date Fri, 08 May 2020 07:37:00 GMT


Oliver Lietz commented on SLING-9418:

[~asanso], The internal {{hash}} method is used in several places – have you done a complete

> Usage of SHA-256 is insecure
> ----------------------------
>                 Key: SLING-9418
>                 URL:
>             Project: Sling
>          Issue Type: Improvement
>            Reporter: Md Mahir Asef Kabir
>            Priority: Major
> *Vulnerability Description:* In “src/main/java/org/apache/sling/discovery/base/connectors/ping/”
file the following code was written in
> {code:java}
> private String hash(String toHash){code}
> method -
> {code:java}
> MessageDigest m = MessageDigest.getInstance("SHA-256");{code}
> The vulnerability is, using "SHA-256” as the argument to MessageDigest.getInstance
> *Reason it’s vulnerable:* According to [this|],
“SHA256 functions do not include a salt and a separate function must be used to add the
salt”. Another reference can be found [here|].
> *Suggested Fix:* According to [this|],
“The most secure current hash functions are BCRYPT, SCRYPT, and Argon2”
> *Feedback:* Please select any of the options down below to help us get an idea about
how you felt about the suggestion -
>  # Liked it and will make the suggested changes
>  # Liked it but happy with the existing version
>  # Didn’t find the suggestion helpful
> *Note:* Tagging *[~stefanegli]* as suggested by [~rombert] in this [pull request.|]

This message was sent by Atlassian Jira

View raw message