CVE-2022-23942: Hard-coded Credentials in Apache Doris

- 1 min


Apache Doris use hardcoded key and IV to initialize the cipher used for LDAP password, which may lead to information disclosure.

Proof of Concept

In org.apache.doris.common.util.SymmetricEncryption the cipher is initialized with a hardcoded key and IV:

    private static byte[] key = { 0x56, 0x73, 0x36, 0x68, 0x4b, 0x56, 0x27, 0x67, 0x24, 0x46, 0x77, 0x57, 0x75, 0x5a,
            0x46, 0x74 };

    private static final Cipher getCipher(int cipherMode) throws InvalidAlgorithmParameterException,
            InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, UnsupportedEncodingException {
        Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
        final SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
        IvParameterSpec ivSpec = new IvParameterSpec("AAAAAAAAAAAAAAAA".getBytes("UTF-8"));
        cipher.init(cipherMode, secretKey, ivSpec);
        return cipher;