Google Git
Sign in
apache / ofbiz-framework / 9963c46c829b53af52f97f4dffc5756e820b4e00
commit9963c46c829b53af52f97f4dffc5756e820b4e00[log] [tgz]
authorJacques Le Roux <jacques.le.roux@les7arts.com>Wed Jul 21 10:54:03 2021 +0200
committerJacques Le Roux <jacques.le.roux@les7arts.com>Wed Jul 21 10:55:49 2021 +0200
tree1acd211630b8640cd296b0520e0a11fee743a378
parent2c421cedfba41f021fa75916e0fbd8f9d65f13e1 [diff]
Fixed: Static initialization vectors for encryption (OFBIZ-12281)

(after discussing this on security@ofbiz.apache.org, it was decided to open a
Jira issue for that)

I've noticed that OFBiz Framework sometimes uses static initialization vectors
(IV) while creating a cipher:

https://s.apache.org/vhlbj
https://s.apache.org/nyndk

IVs should be unique and ideally unpredictable to avoid producing the same
ciphertexts for the same plaintexts.

The issues can be fixed with something like the following:

byte[] rawIV = new byte[8];
SecureRandom random = new SecureRandom();
random.nextBytes(rawIV).
IvParameterSpec iv = new IvParameterSpec(rawIV);

jleroux: we prepend the IV in order to decrypt the plaintexts. I'll do
something similar in ValueLinkApi class ASAP

Thanks: Artem Smotrakov
1 file changed
tree: 1acd211630b8640cd296b0520e0a11fee743a378
  1. .github/
  2. applications/
  3. config/
  4. docs/
  5. framework/
  6. gradle/
  7. lib/
  8. runtime/
  9. themes/
  10. .asf.yaml
  11. .gitattributes
  12. .gitignore
  13. .hgignore
  14. .sonarcloud.properties
  15. .xmlcatalog.xml
  16. APACHE2_HEADER
  17. build.gradle
  18. CHANGELOG.adoc
  19. common.gradle
  20. CONTRIBUTING.adoc
  21. gradle.properties
  22. gradlew
  23. gradlew.bat
  24. init-gradle-wrapper.bat
  25. INSTALL
  26. LICENSE
  27. NOTICE
  28. OPTIONAL_LIBRARIES
  29. README.adoc
  30. settings.gradle
  31. VERSION