QID 983115

QID 983115: Java (maven) Security Update for org.opencastproject:opencast-common-jpa-impl (GHSA-h362-m8f2-5x7c)

Security update has been released for org.opencastproject:opencast-common-jpa-impl to fix the vulnerability.

Note: The preceding description block is extracted directly from the security advisory. Using automation, we have attempted to clean and format it as much as possible without introducing additional issues.

User passwords are stored in the database using the rather outdated and cryptographically insecure MD5 hash algorithm. Furthermore, the hashes are salted using the username instead of a random salt, causing hashes for users with the same username and password to collide which is problematic especially for popular users like the default `admin` user.

This essentially means that for an attacker, it might be feasible to reconstruct a user's password given access to these hashes.

Note that attackers needing access to the hashes means that they must gain access to the database in which these are stored first to be able to start cracking the passwords.

  • CVSS V3 rated as Critical - 8.1 severity.
  • CVSS V2 rated as Medium - 5.5 severity.
    • Solution
    The problem is addressed in Opencast 8.1 which now uses the modern and much stronger bcrypt password hashing algorithm for storing passwords. Note, that old hashes remain MD5 until the password is updated.

    For a list of users whose password hashes are stored using MD5, take a look at the `/user-utils/users/md5.json` REST endpoint.Workaround:
    There is no workaround.
    Vendor References

    CVEs related to QID 983115

    CVE-2020-5229 |
    Software Advisories
    Advisory ID Software Component Link
    GHSA-h362-m8f2-5x7c org.opencastproject:opencast-common-jpa-impl URL Logo github.com/advisories/GHSA-h362-m8f2-5x7c
    By selecting these links, you may be leaving CVEreport webspace. We have provided these links to other websites because they may have information that would be of interest to you. No inferences should be drawn on account of other sites being referenced, or not, from this page. There may be other websites that are more appropriate for your purpose. CVEreport does not necessarily endorse the views expressed, or concur with the facts presented on these sites. Further, CVEreport does not endorse any commercial products that may be mentioned on these sites. Please address comments about any linked pages to [email protected].