-
Task
-
Resolution: Done
-
Major
-
None
-
None
There is a line in MaskedPasswordImpl where Arrays#equals is currently used to compare a masked password byte array.
Arrays#equals is vulnerable to timing attacks because it uses a non time-constant comparison.
MessageDigest#isEqual uses a time-constant comparison which means that all bytes in the arrays will be compared.
Update MaskedPasswordImpl so that it uses the MessageDigest#isEqual method instead of Arrays#equals to compare maskedPasswordBytes.
- is depended on by
-
ELY-2418 CVE-2022-3143 wildfly-elytron: possible timing attacks via use of unsafe comparator
- Resolved