Details
-
Bug
-
Status: Resolved
-
Major
-
Resolution: Not A Problem
-
3.3.0
-
None
-
None
Description
I have scanned java files with Sonarqube and in https://github.com/apache/spark/blob/master/common/network-common/src/main/java/org/apache/spark/network/crypto/TransportCipher.java
@VisibleForTesting CryptoOutputStream createOutputStream(WritableByteChannel ch) throws IOException { return new CryptoOutputStream(cipher, conf, ch, key, new IvParameterSpec(outIv)); @VisibleForTesting CryptoInputStream createInputStream(ReadableByteChannel ch) throws IOException { return new CryptoInputStream(cipher, conf, ch, key, new IvParameterSpec(inIv));
When encrypting data with the Cipher Block Chaining (CBC) mode an Initialization Vector (IV) is used to randomize the encryption, ie under a given key the same plaintext doesn’t always produce the same ciphertext. The IV doesn’t need to be secret but should be unpredictable to avoid "Chosen-Plaintext Attack".
To generate Initialization Vectors, NIST recommends to use a secure random number generator.
OWASP Top 10 2021 Category A2 - Cryptographic Failures
OWASP Top 10 2017 Category A6 - Security Misconfiguration
MITRE, CWE-329 - CWE-329: Not Using an Unpredictable IV with CBC Mode
MITRE, CWE-330 - Use of Insufficiently Random Values
NIST, SP-800-38A - Recommendation for Block Cipher Modes of Operation
Derived from FindSecBugs rule STATIC_IV