'[oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography initialization
From:       <morningman () 163 ! com>
Date:       2022-04-26 14:33:47
Message-ID: 3f9af332.69b6.180664aec3f.Coremail.morningman () 163 ! com
[Download RAW message or body]

[Attachment #2 (text/plain)]

Severity: moderate

Description:
=============
Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead \
to information disclosure.

Mitigation:
=============
Upgrade to 1.0.0[1] or higher will resolve this problem.

Credit:
=============
We would like to thanks to Dwi Siswanto for the report of this issue

References:
=============
https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt[1] \
http://doris.incubator.apache.org/downloads/downloads.html

--

´ËÖ £¡Best Regards
³ Ã÷Óê Mingyu Chen

Email:
chenmingyu@apache.org

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic