<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:57:22 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[JAVA-2497] GridFSUploadStreamImpl.java uses MD5 which is reported by Veracode as Broken or Risky Cryptographic Algorithm</title>
                <link>https://jira.mongodb.org/browse/JAVA-2497</link>
                <project id="10006" key="JAVA">Java Driver</project>
                    <description>&lt;p&gt;Hi,&lt;/p&gt;

&lt;p&gt;We are using GridFS features of Mongo DB.&lt;/p&gt;

&lt;p&gt;We are using Mongo java driver 3.4.1.&lt;/p&gt;

&lt;p&gt;A recent Veracode testing on our application code identified an issue related Mongo driver jar as below.&lt;/p&gt;

&lt;p&gt;Use of a Broken or Risky Cryptographic Algorithm (CWE ID 327)&lt;/p&gt;

&lt;p&gt;This was in class GridFSUploadStreamImpl.java in line 59.&lt;/p&gt;

&lt;p&gt;It seems *MD5 *is being used there and that algorithm is known to have vulnerabilities.&lt;/p&gt;

&lt;p&gt;We need to address all vulnerabilities reported by Veracode otherwise we would not be able to move the app to production.&lt;/p&gt;

&lt;p&gt;It appears a more stronger/safer algorithm should have been used in the code.&lt;/p&gt;

&lt;p&gt;Can you please let us know the resolution/workaround/implications if any of this. &lt;/p&gt;

&lt;p&gt;If you believe this is a false positive from Veracode, please do let us know the same and also the reasons for the same and we can submit the same to mitigate the issue accordingly.&lt;/p&gt;

&lt;p&gt;If not and there are any planned fixes for this , Please let us know details on the same, which would also be required while submitting/getting approval.&lt;/p&gt;

&lt;p&gt;Thanks,&lt;br/&gt;
Jack&lt;/p&gt;





</description>
                <environment></environment>
        <key id="375397">JAVA-2497</key>
            <summary>GridFSUploadStreamImpl.java uses MD5 which is reported by Veracode as Broken or Risky Cryptographic Algorithm</summary>
                <type id="3" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14718&amp;avatarType=issuetype">Task</type>
                                            <priority id="2" iconUrl="https://jira.mongodb.org/images/icons/priorities/critical.svg">Critical - P2</priority>
                        <status id="6" iconUrl="https://jira.mongodb.org/images/icons/statuses/closed.png" description="The issue is considered finished, the resolution is correct. Issues which are closed can be reopened.">Closed</status>
                    <statusCategory id="3" key="done" colorName="success"/>
                                    <resolution id="13202">Works as Designed</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jbaur">Jack Baur</reporter>
                        <labels>
                    </labels>
                <created>Wed, 19 Apr 2017 10:34:56 +0000</created>
                <updated>Fri, 27 Oct 2023 13:21:13 +0000</updated>
                            <resolved>Thu, 20 Apr 2017 08:54:07 +0000</resolved>
                                                                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="1552427" author="ross@10gen.com" created="Wed, 19 Apr 2017 12:40:39 +0000"  >&lt;p&gt;Hi &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jbaur&quot; class=&quot;user-hover&quot; rel=&quot;jbaur&quot;&gt;jbaur&lt;/a&gt;,&lt;/p&gt;

&lt;p&gt;GridFS is a convention based library built on top of MongoDB for storing files / binary data. GridFS stores an MD5 checksum to ensure that files in GridFS have not been corrupted. This file data is stored in collections, just like any other data in MongoDB. Therefore, it is possible a user could directly access the &apos;files&apos; and &#8216;chunks&#8217; collections under GridFS and they could make changes to documents that would make them unusable by GridFS. Comparing the MD5 in the files collection document to a re-computed MD5 allows users to detect any such errors or corruption. The Java driver assumes that the stored file has not been corrupted. Applications that want to use the MD5 value to check for corruption must do so themselves. There are no immediate plans to change the hashing algorithm.&lt;/p&gt;

&lt;p&gt;Users can store their own metadata alongside the file data. As such they are able to store alternative hashes of the file contents and compare them in their applications to verify the contents of the file. This approach mitigates the need for using the MD5 generated hash in favour of a more robust hashing mechanism.&lt;/p&gt;

&lt;p&gt;For future reference this project is for Java driver bugs or feature requests. The best place for questions regarding MongoDB usage or the Java driver specifics is the &lt;a href=&quot;https://groups.google.com/forum/#!forum/mongodb-user&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;mongodb-user mailing list&lt;/a&gt; or &lt;a href=&quot;http://stackoverflow.com&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;stackoverflow&lt;/a&gt; as you will reach a boarder audience there.  If your business requires an answer from MongoDB within a set time frame then we do offer &lt;a href=&quot;https://www.mongodb.com/products/production-support&quot; class=&quot;external-link&quot; target=&quot;_blank&quot; rel=&quot;nofollow noopener&quot;&gt;production support&lt;/a&gt;.&lt;/p&gt;

&lt;p&gt;I hope that helps,&lt;/p&gt;

&lt;p&gt;Ross&lt;/p&gt;</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10010">
                    <name>Duplicate</name>
                                                                <inwardlinks description="is duplicated by">
                                                        </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|hsybjz:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            </customfields>
    </item>
</channel>
</rss>