'[oss-security] [morningman@163.com: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcode'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       oss-security
Subject:    [oss-security] [morningman@163.com: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcode
From:       Seth Arnold <seth.arnold () canonical ! com>
Date:       2022-04-26 23:18:25
Message-ID: 20220426231825.GA484258 () millbarge
[Download RAW message or body]


Hello, the Apache Doris project recently switched away from using
hard-coded credentials; they apaprently copy-and-pasted code from the
Kylin project:

https://www.openwall.com/lists/oss-security/2022/04/26/2
https://github.com/apache/incubator-doris/pull/7862/files

https://github.com/apache/kylin/blob/0fa41762ec0fc69c0b8029fc8a81b273388bbf1d/core-common/src/main/java/org/apache/kylin/common/util/EncryptUtil.java#L39


public class EncryptUtil {
    /**
     * thisIsAsecretKey
     */
    private static byte[] key = { 0x74, 0x68, 0x69, 0x73, 0x49, 0x73, 0x41, 0x53, 0x65, 0x63, \
0x72, 0x65, 0x74, 0x4b,  0x65, 0x79 };

    private static final Cipher getCipher(int cipherMode) throws \
                InvalidAlgorithmParameterException,
            InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, \
UnsupportedEncodingException {  Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
        final SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
        IvParameterSpec ivSpec = new \
IvParameterSpec(KylinConfig.getInstanceFromEnv().getEncryptCipherIvSpec().getBytes("UTF-8"));  \
cipher.init(cipherMode, secretKey, ivSpec);  return cipher;
    }


Kylin may need a similar fix.

Thanks

----- Forwarded message from 陈明雨 <morningman@163.com> -----

Date: Tue, 26 Apr 2022 22:33:47 +0800 (CST)
From: 陈明雨 <morningman@163.com>
To: general <general@incubator.apache.org>, me@dw1.io, security@apache.org, \
                oss-security@lists.openwall.com
Subject: [oss-security] CVE-2022-23942: Apache Doris(incubating) hardcoded cryptography \
                initialization
Message-ID: <3f9af332.69b6.180664aec3f.Coremail.morningman@163.com>

Severity: moderate

Description:
=============
Doris use hardcoded key and IV to initialize the cipher used for ldap password, which may lead \
to information disclosure.

Mitigation:
=============
Upgrade to 1.0.0[1] or higher will resolve this problem.

Credit:
=============
We would like to thanks to Dwi Siswanto for the report of this issue

References:
=============
https://lists.apache.org/thread/com2dyzp3bn2rdrotry90q2zzord4tvt[1] \
http://doris.incubator.apache.org/downloads/downloads.html



--

此致！Best Regards
陈明雨 Mingyu Chen

Email:
chenmingyu@apache.org

----- End forwarded message -----


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic