[
https://issues.jboss.org/browse/AS7-4982?page=com.atlassian.jira.plugin.s...
]
Yannick LE NY updated AS7-4982:
-------------------------------
Description:
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add
user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user
java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files
standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you
find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom...
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that
is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/...
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash
algorithm that is used and that is broken for a long time :
At
http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly
fatal weakness, cryptographers began recommending the use of other algorithms, such as
SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were
discovered in MD5, making further use of the algorithm for security purposes
questionable...In December 2008, a group of researchers used this technique to fake SSL
certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and
unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash
functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest
class.
As you can see at :
http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry...
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256 ?
Note : The security team in my big company want now that all the application servers used
in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic
11.
was:
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add
user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user
java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files
standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you
find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom...
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that
is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/...
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash
algorithm that is used and that is broken for a long time :
At
http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly
fatal weakness, cryptographers began recommending the use of other algorithms, such as
SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were
discovered in MD5, making further use of the algorithm for security purposes
questionable...In December 2008, a group of researchers used this technique to fake SSL
certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and
unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash
functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest
class.
As you can see at :
http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry...
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256.
The security team in my big company want now that all the application servers used in the
company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic
11.
Jboss AS 7.1.1 / Jboss EAP 6.0 Beta2 : add-user.sh script use
weakeness hashing algorithm (MD5) that is broken for a long time
------------------------------------------------------------------------------------------------------------------------------
Key: AS7-4982
URL:
https://issues.jboss.org/browse/AS7-4982
Project: Application Server 7
Issue Type: Bug
Components: Domain Management
Affects Versions: 7.1.2.Final (EAP)
Environment: Jboss EAP 6.0 Beta2
Jboss AS 7.1.1
Linux RHEL 5.4
JDK 1.6.0_24
Reporter: Yannick LE NY
Assignee: Darran Lofthouse
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to
add user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user
java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files
standalone/configuration/mgmt-users.properties and
domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you
find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-dom...
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class
that is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/...
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash
algorithm that is used and that is broken for a long time :
At
http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly
fatal weakness, cryptographers began recommending the use of other algorithms, such as
SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were
discovered in MD5, making further use of the algorithm for security purposes
questionable...In December 2008, a group of researchers used this technique to fake SSL
certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and
unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash
functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest
class.
As you can see at :
http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/Cry...
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256 ?
Note : The security team in my big company want now that all the application servers used
in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic
11.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators:
https://issues.jboss.org/secure/ContactAdministrators!default.jspa
For more information on JIRA, see:
http://www.atlassian.com/software/jira