July 2012 - jboss-jira - Jboss List Archives

[JBoss JIRA] (AS7-4982) add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time

by Yannick LE NY (JIRA)

Yannick LE NY created AS7-4982: ---------------------------------- Summary: add-user.sh script use weakeness hashing algorithm (MD5) that is broken for a long time Key: AS7-4982 URL: https://issues.jboss.org/browse/AS7-4982 Project: Application Server 7 Issue Type: Bug Components: Console Affects Versions: 7.1.2.Final (EAP) Environment: Jboss EAP 6.0 Beta2 Jboss AS 7.1.1 Linux RHEL 5.4 JDK 1.6.0_24 Reporter: Yannick LE NY Assignee: Heiko Braun Fix For: 7.1.3.Final (EAP) In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console. And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to : 1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties 2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom... and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/... In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time : At http://en.wikipedia.org/wiki/MD5, the wikipedia article said : "In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9] and most U.S. government applications now require the SHA-2 family of hash functions." org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class. As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html, getAlgorithm function can use several hash or Message Digest Algorithms. The hash or Message Digest Algorithms available are : MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512 http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry... Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by SHA-256 or AES-256. The security team in my big company want now that all the application servers used in the company use strong cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

2
10
0 / 0

[JBoss JIRA] (AS7-3977) Serve gzip encoded console resources

by Heiko Braun (JIRA)

Heiko Braun created AS7-3977: -------------------------------- Summary: Serve gzip encoded console resources Key: AS7-3977 URL: https://issues.jboss.org/browse/AS7-3977 Project: Application Server 7 Issue Type: Feature Request Components: Console, Domain Management Reporter: Heiko Braun Assignee: Heiko Braun Fix For: 7.1.2.Final To decrease network latency when loading the console form a remote host. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

3
6
0 / 0

[JBoss JIRA] Created: (JBAS-8198) DomainController discovery system

by Brian Stansberry (JIRA)

DomainController discovery system --------------------------------- Key: JBAS-8198 URL: https://jira.jboss.org/browse/JBAS-8198 Project: JBoss Application Server Issue Type: Task Security Level: Public (Everyone can see) Components: Domain Management Reporter: Brian Stansberry Fix For: 7.0.0.M1 Mechanism(s) by which a ServerManager finds a DomainController so it can begin the process of integrating into the domain. Task includes the host.xml schema elements to configure this, the domain object model classes behind those elements, and the actual implementation of discovery from both the ServerManager and DomainController sides. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

7
14
0 / 0

[JBoss JIRA] (AS7-5077) "JBAS014101: Failed to find SFSB instance with session ID" calling @javax.ejb.Remove method

by Marek Schmidt (JIRA)

Marek Schmidt created AS7-5077: ---------------------------------- Summary: "JBAS014101: Failed to find SFSB instance with session ID" calling @javax.ejb.Remove method Key: AS7-5077 URL: https://issues.jboss.org/browse/AS7-5077 Project: Application Server 7 Issue Type: Bug Components: EJB Affects Versions: 7.1.2.Final (EAP) Reporter: Marek Schmidt Assignee: jaikiran pai Calling a SFSB @javax.ejb.Remove method results an ugly INFO message in the logs: e.g. (modified helloworld-jsf quickstart): {code} @Named @Stateless public class RichBean { @Resource SessionContext sessionContext; public void greet() { TestEjb testEjb = (TestEjb)sessionContext.lookup("java:app/jboss-as-helloworld-jsf/TestEjb"); System.out.println(testEjb.greet()); testEjb.remove(); } } {code} {code} @Stateful public class TestEjb { @Remove public void remove() { } public String greet() { return "Hello"; } } {code} {code} <h:form id="helloWorld"> <h:commandButton action="#{richBean.greet()}" value="Greet" /> </h:form> {code} {noformat} 14:35:46,105 INFO [stdout] (http-/127.0.0.1:8080-1) Hello 14:35:46,106 INFO [org.jboss.as.ejb3] (http-/127.0.0.1:8080-1) JBAS014101: Failed to find SFSB instance with session ID {[95, 12, 97, -35, -110, -123, 79, -16, -116, -95, -99, -57, 52, 38, 81, 85]} in cache {noformat} -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

7
10
0 / 0

[JBoss JIRA] (AS7-5085) Operations to read content from the content repository

by Brian Stansberry (JIRA)

Brian Stansberry created AS7-5085: ------------------------------------- Summary: Operations to read content from the content repository Key: AS7-5085 URL: https://issues.jboss.org/browse/AS7-5085 Project: Application Server 7 Issue Type: Feature Request Reporter: Brian Stansberry -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

1
4
0 / 0

[JBoss JIRA] (AS7-4998) Describe inheritance relationships in the resource description metadata

by Brian Stansberry (JIRA)

11 years, 5 months

1
1
0 / 0

[JBoss JIRA] (AS7-4997) Add reference description information to resource metadata

by Brian Stansberry (JIRA)

11 years, 5 months

1
1
0 / 0

[JBoss JIRA] Created: (JBAS-8139) Ability to rollback AS version updates

by Brian Stansberry (JIRA)

Ability to rollback AS version updates -------------------------------------- Key: JBAS-8139 URL: https://jira.jboss.org/browse/JBAS-8139 Project: JBoss Application Server Issue Type: Feature Request Security Level: Public (Everyone can see) Components: Domain Management Reporter: Brian Stansberry Fix For: Unscheduled This JIRA is based on feedback we received after the Andiamo BOF at JBoss World 2010: >> A fixpack installer that handles version rollbacks would be fantastic. >> Of course it needs to remain flexible to work with JBoss installs that >> have been manually modified. Note that this may be out of scope for community AS 7; e.g. it may be a JON function. However, the AS 7 design of things like how we lay down content on the filesystem should take this use case into account. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

3
4
0 / 0

[JBoss JIRA] (AS7-5182) properly transform/resolve expression values

by Emanuel Muckenhuber (JIRA)

Emanuel Muckenhuber created AS7-5182: ---------------------------------------- Summary: properly transform/resolve expression values Key: AS7-5182 URL: https://issues.jboss.org/browse/AS7-5182 Project: Application Server 7 Issue Type: Sub-task Components: Domain Management Reporter: Emanuel Muckenhuber Priority: Critical Fix For: 7.2.0.CR1 We need to be able to properly handle values which are getting changed to allow expressions. The problem is that older HCs won't understand the expression value, therefore they need be resolved before sending the initial model. At this point this can only be done against domain/host specific system properties. Server-group and server level overrides would be lost when starting a managed server. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

2
4
0 / 0

[JBoss JIRA] (AS7-4595) Better reporting if a master and slave HC are both launched from the same directory

by Kabir Khan (JIRA)

Kabir Khan created AS7-4595: ------------------------------- Summary: Better reporting if a master and slave HC are both launched from the same directory Key: AS7-4595 URL: https://issues.jboss.org/browse/AS7-4595 Project: Application Server 7 Issue Type: Feature Request Reporter: Kabir Khan The only symptom at the moment is hangs on startup on the slave as mentioned in AS7-4593. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.jboss.org/secure/ContactAdministrators!default.jspa For more information on JIRA, see: http://www.atlassian.com/software/jira

11 years, 5 months

2
2
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

jboss-jira July 2012