Discussion:
[jira] [Created] (FELIX-5934) The Felix Web Console stores unsalted hashed password
Antonio Sanso (JIRA)
2018-09-21 06:07:00 UTC
Permalink
Antonio Sanso created FELIX-5934:
------------------------------------

Summary: The Felix Web Console stores unsalted hashed password
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso


The Felix Web Console currently stores unsalted hashed password [0]

This violates common security hygiene and industry standard.

The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]

 

 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]

[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Antonio Sanso (JIRA)
2018-10-15 11:14:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650083#comment-16650083 ]

Antonio Sanso commented on FELIX-5934:
--------------------------------------

[~cziegeler] I attached a proposed patch. I improved the current hashing algorithm adding salting and hashing iterations.
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Priority: Major
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Antonio Sanso (JIRA)
2018-10-15 11:14:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Antonio Sanso updated FELIX-5934:
---------------------------------
Attachment: FELIX-5934-patch.txt
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Priority: Major
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Christian Schneider (JIRA)
2018-10-15 12:06:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650122#comment-16650122 ]

Christian Schneider commented on FELIX-5934:
--------------------------------------------

 If we have a fixed default password then I would keep it in the source code as plain text to make sure it is obvious that this password is not secure. 

I don't think hashing the default password makes any sense. It is just security by obscurity. Hashing a password only makes sense if it is secret. 

 
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Priority: Major
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Antonio Sanso (JIRA)
2018-10-15 13:36:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16650211#comment-16650211 ]

Antonio Sanso commented on FELIX-5934:
--------------------------------------
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Priority: Major
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Carsten Ziegeler (JIRA)
2018-11-13 10:35:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler updated FELIX-5934:
------------------------------------
Fix Version/s: webconsole-4.3.10
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Assignee: Carsten Ziegeler
Priority: Major
Fix For: webconsole-4.3.10
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Carsten Ziegeler (JIRA)
2018-11-13 10:35:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler reassigned FELIX-5934:
---------------------------------------

Assignee: Carsten Ziegeler
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Assignee: Carsten Ziegeler
Priority: Major
Fix For: webconsole-4.3.10
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Carsten Ziegeler (JIRA)
2018-11-13 10:39:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Carsten Ziegeler resolved FELIX-5934.
-------------------------------------
Resolution: Fixed

Thanks for the patch [~asanso]. I'Ve applied it in rev 1846501.
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Assignee: Carsten Ziegeler
Priority: Major
Fix For: webconsole-4.3.10
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Antonio Sanso (JIRA)
2018-11-13 10:53:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685028#comment-16685028 ]

Antonio Sanso commented on FELIX-5934:
--------------------------------------

[~cziegeler] thanks a lot for applying . I would not call it completely resolved though. There is still the password initialization part to solve... But maybe we can handle in a different ticket ?
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Assignee: Carsten Ziegeler
Priority: Major
Fix For: webconsole-4.3.10
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
Carsten Ziegeler (JIRA)
2018-11-13 11:04:00 UTC
Permalink
[ https://issues.apache.org/jira/browse/FELIX-5934?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16685048#comment-16685048 ]

Carsten Ziegeler commented on FELIX-5934:
-----------------------------------------

[~asanso] Different ticket sounds good to me, thanks
Post by Antonio Sanso (JIRA)
The Felix Web Console stores unsalted hashed password
-----------------------------------------------------
Key: FELIX-5934
URL: https://issues.apache.org/jira/browse/FELIX-5934
Project: Felix
Issue Type: Bug
Components: Web Console
Reporter: Antonio Sanso
Assignee: Carsten Ziegeler
Priority: Major
Fix For: webconsole-4.3.10
Attachments: FELIX-5934-patch.txt
The Felix Web Console currently stores unsalted hashed password [0]
This violates common security hygiene and industry standard.
The suggestion is to either add a random salt or use a stronger Password Storage algorithm e.g. *Argon2* or *PBKDF2*  *.* See [1]
 
 [0][https://github.com/apache/felix/blob/0bfe4ca7ebc6e81f0a9f4186a7ef58df4d92b4c9/webconsole/src/main/java/org/apache/felix/webconsole/internal/servlet/OsgiManager.java#L167]
[1] https://www.owasp.org/index.php/Password_Storage_Cheat_Sheet
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Loading...