Details
-
Task
-
Resolution: Works as Designed
-
Critical - P2
-
None
-
None
-
None
-
None
Description
Hi,
We are using GridFS features of Mongo DB.
We are using Mongo java driver 3.4.1.
A recent Veracode testing on our application code identified an issue related Mongo driver jar as below.
Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)
This was in class GridFSUploadStreamImpl.java in line 59.
It seems *MD5 *is being used there and that algorithm is known to have vulnerabilities.
We need to address all vulnerabilities reported by Veracode otherwise we would not be able to move the app to production.
It appears a more stronger/safer algorithm should have been used in the code.
Can you please let us know the resolution/workaround/implications if any of this.
If you believe this is a false positive from Veracode, please do let us know the same and also the reasons for the same and we can submit the same to mitigate the issue accordingly.
If not and there are any planned fixes for this , Please let us know details on the same, which would also be required while submitting/getting approval.
Thanks,
Jack