...
GERONIMO-2925, GERONIMO-1135 describes a vulnerability in the WAS CE tool, which is based on Apache Geronimo. It uses the Advanced Encryption Standard (AES) to encrypt passwords but uses a hard-coded key that is identical for all the WAS CE server instances. Consequently, anyone who can download the software is provided with the key to every instance of the tool. This vulnerability was resolved by having each new installation of the tool generate its own unique key and use it henceforthfrom that time on.
Related Guidelines
MSC18-C. Be careful while handling sensitive data, such as passwords, in program code | ||||
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="f579932209b9aae0-a236f9bd-43c5422a-9c64a570-cb5ae3cd3ea2a38d1fbdfcb2"><ac:plain-text-body><![CDATA[ | [ISO/IEC TR 24772:2010 | http://www.aitcnet.org/isai/] | Hard-coded Password [XYP] | ]]></ac:plain-text-body></ac:structured-macro> |
CWE-259. Use of hard-coded password | ||||
| CWE-798. Use of hard-coded credentials |
...
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="4ba40e4e5e574976-89f04852-4cfa4d50-b8efb98a-5e1c8b7b81e4abdfd4728d3e"><ac:plain-text-body><![CDATA[ | [[Chess 2007 | AA. Bibliography#Chess 07]] | 11.2, Outbound Passwords: Keep Passwords out of Source Code | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="2ea0a61ea8f15646-63241e29-44a04a60-ade9abab-7bcdd23660fcf6e60f404962"><ac:plain-text-body><![CDATA[ | [[Fortify 2008 | AA. Bibliography#Fortify 08]] | Unsafe Mobile Code: Database Access | ]]></ac:plain-text-body></ac:structured-macro> |
<ac:structured-macro ac:name="unmigrated-wiki-markup" ac:schema-version="1" ac:macro-id="9f7dc53708fbda48-54adc465-439e408f-bcdf8d2c-0a19bbeb8bf3cec115c5924e"><ac:plain-text-body><![CDATA[ | [[Gong 2003 | AA. Bibliography#Gong 03]] | 9.4, Private Object State and Object Immutability | ]]></ac:plain-text-body></ac:structured-macro> |
...