<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Wed Feb 07 21:47:00 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[CSHARP-4032] MD5.Create Method Use of Broken Cryptographic Algorithms</title>
                <link>https://jira.mongodb.org/browse/CSHARP-4032</link>
                <project id="10041" key="CSHARP">C# Driver</project>
                    <description>&lt;h4&gt;&lt;a name=&quot;Summary&quot;&gt;&lt;/a&gt;Summary &lt;/h4&gt;
&lt;p&gt;MD5 Hashing Violation was found in Mongo Driver C#.&lt;br/&gt;
See Microsoft security rule CA5351&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5351&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;https://docs.microsoft.com/en-us/dotnet/fundamentals/code-analysis/quality-rules/ca5351&lt;/a&gt;&lt;/p&gt;

&lt;p&gt;The hashing algorithm used, MD5, has been found by researchers to be unsafe for protecting sensitive data with today&apos;s technology.&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;Pleaseprovidetheversionofthedriver.Ifapplicable%2CpleaseprovidetheMongoDBserverversionandtopology%28standalone%2Creplicaset%2Corshardedcluster%29.&quot;&gt;&lt;/a&gt;Please provide the version of the driver. If applicable, please provide the MongoDB server version and topology (standalone, replica set, or sharded cluster).&lt;/h4&gt;
&lt;p&gt;.NET Driver Version 2.14.1&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;HowtoReproduce&quot;&gt;&lt;/a&gt;How to Reproduce&lt;/h4&gt;
&lt;p&gt;&lt;em&gt;Steps to reproduce. If possible, please include a &lt;a href=&quot;http://sscce.org/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;Short, Self Contained, Correct (Compilable), Example&lt;/a&gt;.&lt;/em&gt;&lt;/p&gt;

&lt;h4&gt;&lt;a name=&quot;AdditionalBackground&quot;&gt;&lt;/a&gt;Additional Background&lt;/h4&gt;
&lt;p&gt;&lt;em&gt;Please provide any additional background information that may be helpful in diagnosing the bug.&lt;/em&gt;&lt;br/&gt;
**Line affected in **&lt;/p&gt;

&lt;p&gt;*&lt;b&gt;AuthenticationHelper.cs&lt;/b&gt;*&lt;/p&gt;

&lt;p&gt;mongo-csharp-driver/blob/master/src/MongoDB.Driver.Core/Core/Authentication/AuthenticationHelper.cs&lt;/p&gt;

&lt;p&gt;private static string MongoPasswordDigest(string username, byte[] passwordBytes)&lt;br/&gt;
{&lt;br/&gt;
var prefixString = username + &quot;:mongo:&quot;;&lt;br/&gt;
var prefixBytes = Utf8Encodings.Strict.GetBytes(prefixString);&lt;/p&gt;

&lt;p&gt;var buffer = new byte&lt;span class=&quot;error&quot;&gt;&amp;#91;prefixBytes.Length + passwordBytes.Length&amp;#93;&lt;/span&gt;;&lt;br/&gt;
var bufferHandle = GCHandle.Alloc(buffer, GCHandleType.Pinned);&lt;br/&gt;
try&lt;br/&gt;
{&lt;br/&gt;
Buffer.BlockCopy(prefixBytes, 0, buffer, 0, prefixBytes.Length);&lt;br/&gt;
Buffer.BlockCopy(passwordBytes, 0, buffer, prefixBytes.Length, passwordBytes.Length);&lt;/p&gt;

&lt;p&gt;using (var md5 = MD5.Create())&lt;/p&gt;
{
var hash = md5.ComputeHash(buffer);
return BsonUtils.ToHexString(hash);
}
&lt;p&gt;}&lt;br/&gt;
finally&lt;/p&gt;
{
Array.Clear(buffer, 0, buffer.Length);
bufferHandle.Free();
}
&lt;p&gt;}&lt;/p&gt;</description>
                <environment></environment>
        <key id="1975227">CSHARP-4032</key>
            <summary>MD5.Create Method Use of Broken Cryptographic Algorithms</summary>
                <type id="1" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14703&amp;avatarType=issuetype">Bug</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13203">Gone away</resolution>
                                        <assignee username="robert@mongodb.com">Robert Stam</assignee>
                                    <reporter username="latitude80uk@gmail.com">Femi Osibote</reporter>
                        <labels>
                            <label>Hashing</label>
                            <label>MD5</label>
                            <label>Violation</label>
                    </labels>
                <created>Tue, 1 Feb 2022 18:23:21 +0000</created>
                <updated>Fri, 27 Oct 2023 19:56:04 +0000</updated>
                            <resolved>Thu, 17 Feb 2022 12:00:26 +0000</resolved>
                                                                    <component>API</component>
                                        <votes>0</votes>
                                    <watches>3</watches>
                                                                                                                <comments>
                            <comment id="4361036" author="dbeng-pm-bot" created="Thu, 17 Feb 2022 12:00:27 +0000"  >&lt;p&gt;There hasn&apos;t been any recent activity on this ticket, so we&apos;re resolving it. Thanks for reaching out! Please feel free to comment on this if you&apos;re able to provide more information.&lt;/p&gt;</comment>
                            <comment id="4331810" author="rstam" created="Wed, 2 Feb 2022 21:45:05 +0000"  >&lt;p&gt;Hi Femi,&lt;/p&gt;

&lt;p&gt;Thank you for reporting this issue.&lt;/p&gt;

&lt;p&gt;It looks like you found this using static code analysis. This use of MD5 is only used when using older authentication mechanisms. You can avoid this code path entirely by using the SCRAM-SHA-256 authentication mechanism.&lt;/p&gt;

&lt;p&gt;We can&apos;t really remove this (yet at least) because in some installations it is still in use.&lt;/p&gt;

&lt;p&gt;There is a lot more information you can read about in the linked SECURITY-768 ticket (which was also created by you).&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                        <issuelink>
            <issuekey id="1812130">CSHARP-3729</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is duplicated by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|i01vx3:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>