[JAVA-2493] Veracode testing identifies ScramSha1Authenticator.java 215 as using broken or risky cryptographic algorithm Created: 18/Apr/17 Updated: 27/Oct/23 Resolved: 20/Apr/17 |
|
| Status: | Closed |
| Project: | Java Driver |
| Component/s: | None |
| Affects Version/s: | None |
| Fix Version/s: | None |
| Type: | Task | Priority: | Critical - P2 |
| Reporter: | John Cussack | Assignee: | Unassigned |
| Resolution: | Works as Designed | Votes: | 0 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||
| Description |
|
We are using Mongo DB java driver 3.4.1 jar. When we did a Veracode testing we found that , Can you please let us know is there an resolution for this issue. Since it is a critical issue , we have to address it before moving to production. Can you please help us on this. |
| Comments |
| Comment by Ross Lawley [ 19/Apr/17 ] |
|
Hi jcussack, Just checking that my follow up response answered your questions regarding the driver's use of SHA-1. There is a feature request ( Ross |
| Comment by Ross Lawley [ 18/Apr/17 ] |
|
To clarify SHA-1 as a standalone algorithm has been proven to be vulnerable. This is what Veracode is reporting - the use of SHA1. MongoDB 3.0 introduced a new password authentication mechanism called Salted Challenge Response Authentication Mechanism or SCRAM. According to the SCRAM RFC (RFC5802):
At this time SCRAM-SHA-1 is not believed to be a vulnerable or a risky algorithm. According to NIST:
So even though internally ScramSha1Authenticator.java uses SHA-1 as apart of the SCRAM algorithm it is an acceptable hashing algorithm. For that reason I believe the Veracode report is showing a false positive. Finally, SCRAM-SHA-1 is only one of multiple authentication mechanisms for MongoDB. Alternatives include:
These may suit your requirements better, see the authentication documentation for more information. Ross |
| Comment by John Cussack [ 18/Apr/17 ] |
|
Thanks for your response. But,I am afraid I still do not get it. Do you mean the algorithm used is indeed safer one and not broken as per Veracode. Can we go ahead with the resolution that it is not an issue. If not I just wanted to know the timeline when we can expect to have it mitigated to a strong algorithm. |
| Comment by Ross Lawley [ 18/Apr/17 ] |
|
Hi jcussack, For future reference, the best place for questions regarding MongoDB usage or the Java driver specifics is the mongodb-user mailinglist or stackoverflow as you will reach a boarder audience there. If your business requires an answer from MongoDB within a time frame then we do offer production support. The line in question does use the SHA-1 algorithm as part of the SCRAM-SHA-1 mongodb authentication. More information about SCRAM-SHA-1 can be found on the MongoDB blog. I hope that helps answer your questions, Ross |