[jboss-jira] [JBoss JIRA] Resolved: (JBAS-4460) Jboss Password Encryption Security Flaw
Andrew Oliver (JIRA)
jira-events at lists.jboss.org
Wed Dec 23 01:28:30 EST 2009
[ https://jira.jboss.org/jira/browse/JBAS-4460?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andrew Oliver resolved JBAS-4460.
---------------------------------
Resolution: Won't Fix
The "encrypt the database" password thing is there for passing silly security audits. Ultimately there will be a password of some kind somewhere because the system needs to decrypt the password to send it to the database. It will always be easy for a relatively experienced programmer to hack this. Filesystem/OS security + transport security are your only hope here. Suggest an alternative that actually does more than obscure or obfuscate but still works.
> Jboss Password Encryption Security Flaw
> ---------------------------------------
>
> Key: JBAS-4460
> URL: https://jira.jboss.org/jira/browse/JBAS-4460
> Project: JBoss Application Server
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Components: Security
> Affects Versions: JBossAS-4.0.3 SP1
> Reporter: Scott Kesecki
> Assignee: Scott M Stark
>
> The Jboss salt to encrypt and decrypt passwords are stored in clear text in the jboss source that can be downloaded by everyone. Anyone that has a basic understanding of how java works can take the source tree get the class definition that has the password encryption and turn it into a a password decryption class.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the jboss-jira
mailing list