Details
-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
7.1.2.Final (EAP)
-
None
Description
In Jboss EAP 6.0 Beta2 or Jboss AS 7.1.1, we need to use the bin/add-user.sh script to add user access to the Jboss console.
And in the the bin/add-user.sh script, you can find that the org.jboss.as.domain-add-user java class is used to :
1) add the login in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
2) first hash the password with MD5 hash algorithm and then copy it hashed in the files standalone/configuration/mgmt-users.properties and domain/configuration/mgmt-users.properties
When you search about the org.jboss.as.domain-add-user java class on the Internet, you find this source file
http://grepcode.com/file/repo1.maven.org/maven2/org.jboss.as/jboss-as-domain-management/7.1.1.Final/org/jboss/as/domain/management/security/AddPropertiesUser.java#AddPropertiesUser
and this file use an import of the org.jboss.sasl.util.UsernamePasswordHashUtil class that is in the file
http://grepcode.com/file/repository.jboss.org/nexus/content/repositories/releases/org.jboss.sasl/jboss-sasl/1.0.1.Final/org/jboss/sasl/util/UsernamePasswordHashUtil.java
In the file UsernamePasswordHashUtil.java, we can see that this is the weakness MD5 hash algorithm that is used and that is broken for a long time :
At http://en.wikipedia.org/wiki/MD5, the wikipedia article said :
"In 1996, a flaw was found with the design of MD5, and while it was not a clearly fatal weakness, cryptographers began recommending the use of other algorithms, such as SHA-1—which has since been found also to be vulnerable. In 2004, more serious flaws were discovered in MD5, making further use of the algorithm for security purposes questionable...In December 2008, a group of researchers used this technique to fake SSL certificate validity,[7][8] and
US-CERT now says that MD5 "should be considered cryptographically broken and unsuitable for further use."[9]
and most U.S. government applications now require the SHA-2 family of hash functions."
org.jboss.sasl.util.UsernamePasswordHashUtil class use java.security.MessageDigest class.
As you can see at : http://docs.oracle.com/javase/6/docs/api/java/security/MessageDigest.html,
getAlgorithm function can use several hash or Message Digest Algorithms.
The hash or Message Digest Algorithms available are :
MD2 (weak), MD5 (weak), SHA-1 (weak), SHA-256, SHA-384, and SHA-512
http://docs.oracle.com/javase/1.5.0/docs/guide/security/CryptoSpec.html#AppA
http://docs.oracle.com/javase/6/docs/technotes/guides/security/crypto/CryptoSpec.html#AppA
Then can you replace the weakness MD5 Message Digest Algorithm used by add-user.sh by
SHA-256 or AES-256 ?
Note : The security team in my big company want now that all the application servers used in the company use strong
cipher algorithm as 3DES used by Oracle Weblogic 10 or as AES-256 used by Oracle Weblogic 11.
