[JAVA-4014] Usage of broken hash algorithm detected Created: 12/Feb/21  Updated: 12/Feb/21  Resolved: 12/Feb/21

Status: Closed
Project: Java Driver
Component/s: None
Affects Version/s: None
Fix Version/s: None

Type: Improvement Priority: Major - P3
Reporter: Mahir Kabir Assignee: Unassigned
Resolution: Done Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified


 Description   

In file https://github.com/musasesay/mongo-java-driver/blob/033f4a7a0b369a641bf1e81352ee37b102c8ae4f/driver/src/main/com/mongodb/client/gridfs/GridFSUploadStreamImpl.java (at Line 59) "md5" algorithm has been used.

Security Impact:

The MD5 Message-Digest Algorithm is not collision-resistant, which makes it easier for context-dependent attackers to conduct spoofing attacks

Useful Resources:

https://www.cvedetails.com/cve/CVE-2004-2761/

Solution we suggest:

Use Sha >= 256 algorithms instead

Please share with us your opinions/comments if there is any:

Is the bug report helpful?



 Comments   
Comment by Ross Lawley [ 12/Feb/21 ]

Please note the repository listed is an old outdated clone of the official repository. See: https://github.com/mongodb/mongo-java-driver/

Comment by Ross Lawley [ 12/Feb/21 ]

Hi mdmahirasefk@vt.edu,

Originally MD5 was used as a checksum of the files content, in JAVA-2761 MD5 usage was made optional as per the GridFS specifications.

Then in the 4.0 driver MD5 usage was removed - see JAVA-3181. So no action needed.

All the best,

Ross

Generated at Thu Feb 08 09:01:01 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.