Uploaded image for project: 'Crowd Data Center'
  1. Crowd Data Center
  2. CWD-1897

Automatically generated passwords (e.g. password reset) use insecure java.util.Random

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: High High
    • 2.0.7
    • 2.0.3
    • None
    • None

      "Reset password" calls

      • com.atlassian.crowd.manager.directory.DirectoryManagerGeneric.resetPassword(), which calls
      • com.atlassian.crowd.integration.authentication.PasswordHelper.generateRandomPassword(), which calls
      • org.apache.commons.lang.RandomStringUtils.randomAlphanumeric(8) (link), which eventually calls
      • java.util.Random.nextInt(int) (link), which
      • uses a 48-bit seed, which is modified using a linear congruential formula. (See Donald Knuth, The Art of Computer Programming, Volume 2, Section 3.2.1.)

      Several obvious flaws:

      • What's Random() seeded with? It's often something predictable by an attacker.
      • java.util.Random() makes no attempt at being secure — knowing a given 48-bit state trivially gives you every previous and future state. The password has 47.6 log2(628) = 47.6 bits of entropy, so I just reset my password twice, crack the state, reset my password, and reset someone else's password.

      It's not that difficult to do a distributed brute-force of a 48-bit state, especially when the implementation gives you the 6.5 bits for free. There's also plenty of cryptanalysis, some of which might be relevant.

            [CWD-1897] Automatically generated passwords (e.g. password reset) use insecure java.util.Random

            Monique Khairuliana (Inactive) made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 - restricted [ 1509630 ] New: JAC Bug Workflow v3 [ 3365541 ]
            Status Original: Resolved [ 5 ] New: Closed [ 6 ]
            Owen made changes -
            Workflow Original: Simplified Crowd Development Workflow v2 [ 1391803 ] New: Simplified Crowd Development Workflow v2 - restricted [ 1509630 ]
            Owen made changes -
            Workflow Original: Crowd Development Workflow v2 [ 273750 ] New: Simplified Crowd Development Workflow v2 [ 1391803 ]
            jawong.adm made changes -
            Workflow Original: JIRA Bug Workflow v2 [ 210133 ] New: Crowd Development Workflow v2 [ 273750 ]
            shihab made changes -
            Fix Version/s New: 2.0.7 [ 15397 ]
            Resolution New: Fixed [ 1 ]
            Status Original: Reopened [ 4 ] New: Resolved [ 5 ]
            shihab made changes -
            Assignee New: shihab [ shamid@atlassian.com ]
            Resolution Original: Won't Fix [ 2 ]
            Status Original: Resolved [ 5 ] New: Reopened [ 4 ]
            shihab made changes -
            Resolution New: Won't Fix [ 2 ]
            Status Original: Open [ 1 ] New: Resolved [ 5 ]
            David O'Flynn [Atlassian] made changes -
            Priority Original: Major [ 3 ] New: Critical [ 2 ]
            David O'Flynn [Atlassian] made changes -
            Link New: This issue is incorporated by CWD-1875 [ CWD-1875 ]
            T Chan created issue -

              shamid@atlassian.com shihab
              0b1305f102cb T Chan
              Affected customers:
              0 This affects my team
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: