CVE-2022-23942: Hard-coded Credentials in Apache Doris
Description
Apache Doris use hardcoded key and IV to initialize the cipher used for LDAP password, which may lead to information disclosure.
Proof of Concept
In org.apache.doris.common.util.SymmetricEncryption
the cipher is initialized with a hardcoded key and IV:
private static byte[] key = { 0x56, 0x73, 0x36, 0x68, 0x4b, 0x56, 0x27, 0x67, 0x24, 0x46, 0x77, 0x57, 0x75, 0x5a,
0x46, 0x74 };
private static final Cipher getCipher(int cipherMode) throws InvalidAlgorithmParameterException,
InvalidKeyException, NoSuchPaddingException, NoSuchAlgorithmException, UnsupportedEncodingException {
Cipher cipher = Cipher.getInstance("AES/CFB/PKCS5Padding");
final SecretKeySpec secretKey = new SecretKeySpec(key, "AES");
IvParameterSpec ivSpec = new IvParameterSpec("AAAAAAAAAAAAAAAA".getBytes("UTF-8"));
cipher.init(cipherMode, secretKey, ivSpec);
return cipher;
}
Timeline
- 14 Jan 2022: Vulnerability reported.
- 14 Jan 2022: Apache Security Team acknowledged the report.
- 28 Jan 2022: Vulnerability fixed & announcement drafted.
- 28 Feb 2022: No updates.
- 10 Mar 2022: Vulnerability disclosed.