Uploaded image for project: 'Java Driver'
  1. Java Driver
  2. JAVA-2497

GridFSUploadStreamImpl.java uses MD5 which is reported by Veracode as Broken or Risky Cryptographic Algorithm

    XMLWordPrintableJSON

Details

    • Icon: Task Task
    • Resolution: Works as Designed
    • Icon: Critical - P2 Critical - P2
    • None
    • None
    • None
    • None

    Description

      Hi,

      We are using GridFS features of Mongo DB.

      We are using Mongo java driver 3.4.1.

      A recent Veracode testing on our application code identified an issue related Mongo driver jar as below.

      Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)

      This was in class GridFSUploadStreamImpl.java in line 59.

      It seems *MD5 *is being used there and that algorithm is known to have vulnerabilities.

      We need to address all vulnerabilities reported by Veracode otherwise we would not be able to move the app to production.

      It appears a more stronger/safer algorithm should have been used in the code.

      Can you please let us know the resolution/workaround/implications if any of this.

      If you believe this is a false positive from Veracode, please do let us know the same and also the reasons for the same and we can submit the same to mitigate the issue accordingly.

      If not and there are any planned fixes for this , Please let us know details on the same, which would also be required while submitting/getting approval.

      Thanks,
      Jack

      Attachments

        Activity

          People

            Unassigned Unassigned
            jbaur Jack Baur
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: