-
Task
-
Resolution: Done
-
Major
-
None
-
None
There’s 2 places in https://github.com/wildfly-security/wildfly-elytron/blob/1.x/password/impl/src/main/java/org/wildfly/security/password/impl/UnixMD5CryptPasswordImpl.java where Arrays#equals is currently used to compare hashes.
Arrays#equals is vulnerable to timing attacks because it uses a non time-constant comparison.
MessageDigest#isEqual uses a time-constant comparison which means that all bytes in the arrays will be compared.
Update UnixMD5CryptPassworldImpl so that it uses the MessageDigest#isEqual method instead of Arrays#equals to compare the hashes.
- is depended on by
-
ELY-2418 CVE-2022-3143 wildfly-elytron: possible timing attacks via use of unsafe comparator
- Resolved