Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
None
-
None
-
None
Description
There have been 2 places identified where weak hashing needs to be replaced by SHA256.
1. CookieSigner.java uses MessageDigest.getInstance("SHA"). Mostly SHA is mapped to SHA-1, which is not secure enough according to today's standards. We should use SHA-256 instead.
2. GenericUDFMaskHash.java uses DigestUtils.md5Hex. MD5 is considered weak and should be replaced by DigestUtils.sha256Hex.