Ying Zhang created KAFKA-12306:
----------------------------------
Summary: Avoid using plaintext/hard-coded key while generating
secret key
Key: KAFKA-12306
URL: https://issues.apache.org/jira/browse/KAFKA-12306
Project: Kafka
Issue Type: Improvement
Components: clients
Reporter: Ying Zhang
We are a security research team at Virginia Tech. We are doing an empirical
study about the usefulness of the existing security vulnerability detection
tools. The following is a reported vulnerability by certain tools. We'll so
appreciate it if you can give any feedback on it.
*Security Location:*
in file
kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramFormatter.java
line 58 and 76, new SecretKeySpec(key, algorithm) is invoked with hard-code
key, which is defined in file
kafka/clients/src/main/java/org/apache/kafka/common/security/scram/internals/ScramSaslClient.java
line 127 -> 189.
*Security Impact:*
Cryptographic keys should not be kept in the source code. The source code can
be widely shared in an enterprise environment and is certainly shared in open
source. The use of a hard-coded cryptographic key significantly increases the
possibility that encrypted data may be recovered.
*suggestions:*
To be managed safely, passwords and secret keys should be stored in separate
configuration files.
Useful link:
[https://cwe.mitre.org/data/definitions/321.html]
[https://www.appmarq.com/public/tqi,1039028,CWE-327-Avoid-weak-encryption-providing-not-sufficient-key-size-JEE]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
