<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:57:21 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-2493] Veracode testing identifies ScramSha1Authenticator.java 215 as using broken or risky cryptographic algorithm</title>
                <link>https://jira.mongodb.org/browse/JAVA-2493</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;We are using Mongo DB java driver 3.4.1 jar.&lt;/p&gt;

&lt;p&gt;When we did a Veracode testing we found that ,&lt;br/&gt;
 ScramSha1Authenticator.java  line no 215 as using broken or risky cryptographic algorithm&lt;/p&gt;

&lt;p&gt;Can you please let us know is there an resolution for this issue.&lt;/p&gt;

&lt;p&gt;Since it is a critical issue , we have to address it before moving to production.&lt;/p&gt;

&lt;p&gt;Can you please help us on this.&lt;/p&gt;</description>
                <environment></environment>
        <key id="375020">JAVA-2493</key>
            <summary>Veracode testing identifies ScramSha1Authenticator.java 215 as using broken or risky cryptographic algorithm</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jcussack">John Cussack</reporter>
                        <labels>
                    </labels>
                <created>Tue, 18 Apr 2017 10:54:20 +0000</created>
                <updated>Fri, 27 Oct 2023 13:21:13 +0000</updated>
                            <resolved>Thu, 20 Apr 2017 08:54:33 +0000</resolved>
                                                                                        <votes>0</votes>
                                    <watches>5</watches>
                                                                                                                <comments>
                            <comment id="1552335" author="ross@10gen.com" created="Wed, 19 Apr 2017 08:46:55 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jcussack&quot; class=&quot;user-hover&quot; rel=&quot;jcussack&quot;&gt;jcussack&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;Just checking that my follow up response answered your questions regarding the driver&apos;s use of SHA-1.  &lt;/p&gt;

&lt;p&gt;There is a feature request  (&lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-28237&quot; title=&quot;Support selectable SCRAM-SHA-256 authentication&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-28237&quot;&gt;&lt;del&gt;SERVER-28237&lt;/del&gt;&lt;/a&gt;) to implement selectable SCRAM hashing methods, including SCRAM-SHA-256 as defined in &lt;a href=&quot;https://tools.ietf.org/html/rfc7677&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;RFC 7677&lt;/a&gt;, however, there is no current timeline for implementation.&lt;/p&gt;

&lt;p&gt;Ross&lt;/p&gt;</comment>
                            <comment id="1551565" author="ross@10gen.com" created="Tue, 18 Apr 2017 15:00:36 +0000"  >&lt;p&gt;To clarify SHA-1 as a standalone algorithm has been proven to be vulnerable. This is what Veracode is reporting - the use of SHA1.&lt;/p&gt;

&lt;p&gt;MongoDB 3.0 introduced a new password authentication mechanism called Salted Challenge Response Authentication Mechanism or SCRAM. According to the SCRAM RFC &lt;a href=&quot;https://tools.ietf.org/html/rfc5802&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;(RFC5802)&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;For interoperability, all SCRAM clients and servers MUST implement the SCRAM-SHA-1 authentication mechanism, i.e., an authentication mechanism from the SCRAM family that uses the SHA-1 hash function as defined in (RFC3174).&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;At this time SCRAM-SHA-1 is not believed to be a vulnerable or a risky algorithm. According to &lt;a href=&quot;http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar1.pdf&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;NIST&lt;/a&gt;:&lt;/p&gt;

&lt;blockquote&gt;
&lt;p&gt;The use of HMAC-based KDFs is acceptable using an approved hash function, including SHA-1.&lt;/p&gt;&lt;/blockquote&gt;

&lt;p&gt;So even though internally &lt;tt&gt;ScramSha1Authenticator.java&lt;/tt&gt; uses SHA-1 as apart of the SCRAM algorithm it is an acceptable hashing algorithm.  For that reason I believe the Veracode report is showing a false positive.&lt;/p&gt;

&lt;p&gt;Finally, SCRAM-SHA-1 is only one of multiple authentication mechanisms for MongoDB. Alternatives include: &lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;X.509&lt;/li&gt;
	&lt;li&gt;Kerberos (GSSAPI)&lt;/li&gt;
	&lt;li&gt;LDAP (PLAIN)&lt;/li&gt;
&lt;/ul&gt;


&lt;p&gt;These may suit your requirements better, see the &lt;a href=&quot;http://mongodb.github.io/mongo-java-driver/3.4/driver/tutorials/authentication/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;authentication documentation&lt;/a&gt; for more information.&lt;/p&gt;

&lt;p&gt;Ross&lt;/p&gt;</comment>
                            <comment id="1551410" author="jcussack" created="Tue, 18 Apr 2017 13:10:51 +0000"  >&lt;p&gt;Thanks for your response.&lt;/p&gt;

&lt;p&gt;But,I am afraid I still do not get it.&lt;/p&gt;

&lt;p&gt;Do you mean the algorithm used is indeed safer one and not broken as per Veracode.&lt;/p&gt;

&lt;p&gt;Can we go ahead with the resolution that it is not an issue.  If not I just wanted to know the timeline when we can expect to have it  mitigated to a strong algorithm.&lt;/p&gt;

</comment>
                            <comment id="1551341" author="ross@10gen.com" created="Tue, 18 Apr 2017 11:07:31 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jcussack&quot; class=&quot;user-hover&quot; rel=&quot;jcussack&quot;&gt;jcussack&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;For future reference, the best place for questions regarding MongoDB usage or the Java driver specifics is the &lt;a href=&quot;https://groups.google.com/forum/#!forum/mongodb-user&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongodb-user mailinglist&lt;/a&gt; or &lt;a href=&quot;http://stackoverflow.com&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;stackoverflow&lt;/a&gt; as you will reach a boarder audience there.  If your business requires an answer from MongoDB within a time frame then we do offer &lt;a href=&quot;https://www.mongodb.com/products/production-support&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;production support&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;The line in question does use the SHA-1 algorithm as part of the &lt;a href=&quot;https://docs.mongodb.com/v3.2/core/security-scram-sha-1/&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;SCRAM-SHA-1&lt;/a&gt; mongodb authentication. More information about SCRAM-SHA-1 can be found on the &lt;a href=&quot;https://www.mongodb.com/blog/post/improved-password-based-authentication-mongodb-30-scram-explained-part-1&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;MongoDB blog&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;I hope that helps answer your questions,&lt;/p&gt;

&lt;p&gt;Ross&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                            <outwardlinks description="duplicates">
                                                        </outwardlinks>
                                                        </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsy9iv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>