From dev-return-106407-archive-asf-public=cust-asf.ponee.io@sling.apache.org Thu May 7 10:13:03 2020 Return-Path: X-Original-To: archive-asf-public@cust-asf.ponee.io Delivered-To: archive-asf-public@cust-asf.ponee.io Received: from mail.apache.org (hermes.apache.org [207.244.88.153]) by mx-eu-01.ponee.io (Postfix) with SMTP id 4A69218062B for ; Thu, 7 May 2020 12:13:03 +0200 (CEST) Received: (qmail 77952 invoked by uid 500); 7 May 2020 10:13:02 -0000 Mailing-List: contact dev-help@sling.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@sling.apache.org Delivered-To: mailing list dev@sling.apache.org Received: (qmail 77933 invoked by uid 99); 7 May 2020 10:13:02 -0000 Received: from mailrelay1-us-west.apache.org (HELO mailrelay1-us-west.apache.org) (209.188.14.139) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 07 May 2020 10:13:02 +0000 Received: from jira-he-de.apache.org (static.172.67.40.188.clients.your-server.de [188.40.67.172]) by mailrelay1-us-west.apache.org (ASF Mail Server at mailrelay1-us-west.apache.org) with ESMTP id 937FDE30C8 for ; Thu, 7 May 2020 10:13:01 +0000 (UTC) Received: from jira-he-de.apache.org (localhost.localdomain [127.0.0.1]) by jira-he-de.apache.org (ASF Mail Server at jira-he-de.apache.org) with ESMTP id 3CFCC780AD1 for ; Thu, 7 May 2020 10:13:00 +0000 (UTC) Date: Thu, 7 May 2020 10:13:00 +0000 (UTC) From: "Antonio Sanso (Jira)" To: dev@sling.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Commented] (SLING-9418) Usage of SHA-256 is insecure MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/SLING-9418?page=3Dcom.atlassian= .jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=3D1710= 1506#comment-17101506 ]=20 Antonio Sanso commented on SLING-9418: -------------------------------------- [~stefanegli] I do not think the salt applie to this case. IMHO is fine as = it is. > Usage of SHA-256 is insecure > ---------------------------- > > Key: SLING-9418 > URL: https://issues.apache.org/jira/browse/SLING-9418 > Project: Sling > Issue Type: Improvement > Reporter: Md Mahir Asef Kabir > Priority: Major > > *Vulnerability Description:* In =E2=80=9Csrc/main/java/org/apache/sling/d= iscovery/base/connectors/ping/TopologyRequestValidator.java=E2=80=9D file t= he following code was written in > {code:java} > private String hash(String toHash){code} > method - > {code:java} > MessageDigest m =3D MessageDigest.getInstance("SHA-256");{code} > The vulnerability is, using "SHA-256=E2=80=9D as the argument to MessageD= igest.getInstance method. > *Reason it=E2=80=99s vulnerable:* According to [this|https://securityboul= evard.com/2019/07/insecure-default-password-hashing-in-cmss/], =E2=80=9CSHA= 256 functions do not include a salt and a separate function must be used to= add the salt=E2=80=9D. Another reference can be found [here|https://dusted= .codes/sha-256-is-not-a-secure-password-hashing-algorithm]. > *Suggested Fix:* According to [this|https://securityboulevard.com/2019/07= /insecure-default-password-hashing-in-cmss/], =E2=80=9CThe most secure curr= ent hash functions are BCRYPT, SCRYPT, and Argon2=E2=80=9D > *Feedback:* Please select any of the options down below to help us get an= idea about how you felt about the suggestion - > # Liked it and will make the suggested changes > # Liked it but happy with the existing version > # Didn=E2=80=99t find the suggestion helpful > =C2=A0 > *Note:*=C2=A0Tagging=C2=A0*[~stefanegli]*=C2=A0as suggested by [~rombert]= in this=C2=A0[pull request.|https://github.com/apache/sling-org-apache-sli= ng-discovery-base/pull/1] -- This message was sent by Atlassian Jira (v8.3.4#803005)