Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-10002

Use a constant time string comparison algorithm in UsernamePasswordLoginModule

    XMLWordPrintable

Details

    • Bug
    • Status: Verified (View Workflow)
    • Major
    • Resolution: Done
    • 7.1.0.DR13
    • 7.1.0.DR14
    • Security
    • None

    Description

      UsernamePasswordLoginModule uses String#equals(Object) to compare passwords or password hashes. This uses short circuit logic and stops comparing once a difference is found. This makes it vulnerable to timing attacks.

      MessageDigest#isEqual has been updated to address the issue. Unfortunately MessageDigest#isEqual operates on byte[] instead of String wo we can't use it directly.

      Attachments

        Issue Links

          Activity

            People

              sguilhen Stefan Guilhen
              pmarscha Philippe Marschall (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: