We use Smartgwt 5.0p LGPL and when we submitted our code to HP for static analysis , a lot of critical vulnerabilities were identified with the smartgwt jar
5.1.1 Key Management: Hardcoded Encryption KeyCritical
CWE-321
OWASP Top 10: A6
PCI 3.0: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render authentication credentials unreadable Summary
Hardcoded encryption keys may compromise system security in a way that cannot be easily remedied. Explanation
It is never a good idea to hardcode an encryption key because it allows all of the project's developers to view the encryption key, and makes fixing the problem extremely difficult. Once the code is in production, the encryption key cannot be changed without patching the software. If the account that is protected by the encryption key is compromised, the owners of the system will be forced to choose between security and availability.
In this case the encryption key is located at in DataSource.js at line 22651.
Example 1: The following code uses a hardcoded encryption key:
... var crypto = require('crypto'); var encryptionKey = "lakdsljkalkjlksdfkl"; var algorithm = 'aes-256-ctr'; var cipher = crypto.createCipher(algorithm, encryptionKey); com/smartclient/debug/public/sc/client/application/DataSource.js:22651 com/smartclient/debug/public/sc/client/application/Offline.js:1449 com/smartclient/debug/public/sc/client/application/Offline.js:1428 com/smartclient/debug/public/sc/client/widgets/Calendar.js:9639 com/smartclient/debug/public/sc/client/widgets/EditMode.js:3141 com/smartclient/debug/public/sc/client/widgets/form/CycleItem.js:35 com/smartclient/debug/public/sc/client/widgets/form/FormItem.js:14826 etc etc we have 50 of these issues and looking for help on how to resolve this
5.1.1 Key Management: Hardcoded Encryption KeyCritical
CWE-321
OWASP Top 10: A6
PCI 3.0: 6.3.1 Hardcoded Sensitive Information, 6.5.3 Insecure Cryptographic Storage, 8.2.1 Render authentication credentials unreadable Summary
Hardcoded encryption keys may compromise system security in a way that cannot be easily remedied. Explanation
It is never a good idea to hardcode an encryption key because it allows all of the project's developers to view the encryption key, and makes fixing the problem extremely difficult. Once the code is in production, the encryption key cannot be changed without patching the software. If the account that is protected by the encryption key is compromised, the owners of the system will be forced to choose between security and availability.
In this case the encryption key is located at in DataSource.js at line 22651.
Example 1: The following code uses a hardcoded encryption key:
... var crypto = require('crypto'); var encryptionKey = "lakdsljkalkjlksdfkl"; var algorithm = 'aes-256-ctr'; var cipher = crypto.createCipher(algorithm, encryptionKey); com/smartclient/debug/public/sc/client/application/DataSource.js:22651 com/smartclient/debug/public/sc/client/application/Offline.js:1449 com/smartclient/debug/public/sc/client/application/Offline.js:1428 com/smartclient/debug/public/sc/client/widgets/Calendar.js:9639 com/smartclient/debug/public/sc/client/widgets/EditMode.js:3141 com/smartclient/debug/public/sc/client/widgets/form/CycleItem.js:35 com/smartclient/debug/public/sc/client/widgets/form/FormItem.js:14826 etc etc we have 50 of these issues and looking for help on how to resolve this
Comment