CVE-2022-23942: Hard-coded Credentials in Apache Doris

Mar 10 2022 - 1 min

Description

Apache Doris use hardcoded key and IV to initialize the cipher used for LDAP password, which may lead to information disclosure.

Proof of Concept

In org.apache.doris.common.util.SymmetricEncryption the cipher is initialized with a hardcoded key and IV:

    private static byte[] key = { 0x56, 0x73, 0x36, 0x68, 0x4b, 0x56, 0x27, 0x67, 0x24, 0x46, 0x77, 0x57, 0x75, 0x5a,
            0x46, 0x74 };

    private static final Cipher getCipher(int cipherMode) throws InvalidAlgorithmParameterException,
            InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, UnsupportedEncodingException {
        Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
        final SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
        IvParameterSpec ivSpec = new IvParameterSpec("AAAAAAAAAAAAAAAA".getBytes("UTF-8"));
        cipher.init(cipherMode, secretKey, ivSpec);
        return cipher;
    }

Timeline

14 Jan 2022: Vulnerability reported.
14 Jan 2022: Apache Security Team acknowledged the report.
28 Jan 2022: Vulnerability fixed & announcement drafted.
28 Feb 2022: No updates.
10 Mar 2022: Vulnerability disclosed.

References

apache/incubator-doris#7862