[JAVA-2497] GridFSUploadStreamImpl.java uses MD5 which is reported by Veracode as Broken or Risky Cryptographic Algorithm Created: 19/Apr/17  Updated: 27/Oct/23  Resolved: 20/Apr/17

Status: Closed
Project: Java Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Task Priority: Critical - P2
Reporter: Jack Baur Assignee: Unassigned
Resolution: Works as Designed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Duplicate

 Description   

Hi,

We are using GridFS features of Mongo DB.

We are using Mongo java driver 3.4.1.

A recent Veracode testing on our application code identified an issue related Mongo driver jar as below.

Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)

This was in class GridFSUploadStreamImpl.java in line 59.

It seems *MD5 *is being used there and that algorithm is known to have vulnerabilities.

We need to address all vulnerabilities reported by Veracode otherwise we would not be able to move the app to production.

It appears a more stronger/safer algorithm should have been used in the code.

Can you please let us know the resolution/workaround/implications if any of this.

If you believe this is a false positive from Veracode, please do let us know the same and also the reasons for the same and we can submit the same to mitigate the issue accordingly.

If not and there are any planned fixes for this , Please let us know details on the same, which would also be required while submitting/getting approval.

Thanks,
Jack



 Comments   
Comment by Ross Lawley [ 19/Apr/17 ]

Hi jbaur,

GridFS is a convention based library built on top of MongoDB for storing files / binary data. GridFS stores an MD5 checksum to ensure that files in GridFS have not been corrupted. This file data is stored in collections, just like any other data in MongoDB. Therefore, it is possible a user could directly access the 'files' and ‘chunks’ collections under GridFS and they could make changes to documents that would make them unusable by GridFS. Comparing the MD5 in the files collection document to a re-computed MD5 allows users to detect any such errors or corruption. The Java driver assumes that the stored file has not been corrupted. Applications that want to use the MD5 value to check for corruption must do so themselves. There are no immediate plans to change the hashing algorithm.

Users can store their own metadata alongside the file data. As such they are able to store alternative hashes of the file contents and compare them in their applications to verify the contents of the file. This approach mitigates the need for using the MD5 generated hash in favour of a more robust hashing mechanism.

For future reference this project is for Java driver bugs or feature requests. The best place for questions regarding MongoDB usage or the Java driver specifics is the mongodb-user mailing list or stackoverflow as you will reach a boarder audience there. If your business requires an answer from MongoDB within a set time frame then we do offer production support.

I hope that helps,

Ross

Generated at Thu Feb 08 08:57:22 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.