oss-sec mailing list archives
[morningman () 163 com: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization]
From: Seth Arnold <seth.arnold () canonical com>
Date: Tue, 26 Apr 2022 23:18:25 +0000
Hello, the Apache Doris project recently switched away from using hard-coded credentials; they apaprently copy-and-pasted code from the Kylin project: https://www.openwall.com/lists/oss-security/2022/04/26/2 https://github.com/apache/incubator-doris/pull/7862/files https://github.com/apache/kylin/blob/0fa41762ec0fc69c0b8029fc8a81b273388bbf1d/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L39 public class EncryptUtil { /** * thisIsAsecretKey */ private static byte[] key = { 0x74, 0x68, 0x69, 0x73, 0x49, 0x73, 0x41, 0x53, 0x65, 0x63, 0x72, 0x65, 0x74, 0x4b, 0x65, 0x79 }; private static final Cipher getCipher(int cipherMode) throws InvalidAlgorithmParameterException, InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, UnsupportedEncodingException { Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding"); final SecretKeySpec secretKey = new SecretKeySpec(key, "AES"); IvParameterSpec ivSpec = new IvParameterSpec(KylinConfig.getInstanceFromEnv().getEncryptCipherIvSpec().getBytes("UTF-8")); cipher.init(cipherMode, secretKey, ivSpec); return cipher; } Kylin may need a similar fix. Thanks ----- Forwarded message from 陈明雨 <morningman () 163 com> ----- Date: Tue, 26 Apr 2022 22:33:47 +0800 (CST) From: 陈明雨 <morningman () 163 com> To: general <general () incubator apache org>, me () dw1 io, security () apache org, oss-security () lists openwall com Subject: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization Message-ID: <3f9af332.69b6.180664aec3f.Coremail.morningman () 163 com> Severity: moderate Description: ============= Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead to information disclosure. Mitigation: ============= Upgrade to 1.0.0[1] or higher will resolve this problem. Credit: ============= We would like to thanks to Dwi Siswanto for the report of this issue References: ============= https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt[1] http://doris.incubator.apache.org/downloads/downloads.html -- 此致!Best Regards 陈明雨 Mingyu Chen Email: chenmingyu () apache org ----- End forwarded message -----
Attachment:
signature.asc
Description:
Current thread:
- [morningman () 163 com: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization] Seth Arnold (Apr 26)