java.lang.security.audit.crypto.use-of-aes-ecb.use-of-aes-ecb
semgrepAuthor
unknown
Download Count*
License
Use of AES with ECB mode detected. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-aes-ecb
pattern: $CIPHER.getInstance("=~/AES/ECB.*/")
metadata:
functional-categories:
- crypto::search::mode::javax.crypto
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: "Use of AES with ECB mode detected. ECB doesn't provide message
confidentiality and is not semantically secure so should not be used.
Instead, use a strong, secure cipher:
Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information."
severity: WARNING
languages:
- java
Examples
use-of-aes-ecb.java
class AES{
public void useofAES() {
// ruleid: use-of-aes-ecb
Cipher.getInstance("AES/ECB/NoPadding");
}
public void useofAES2() {
// ruleid: use-of-aes-ecb
useCipher(Cipher.getInstance("AES/ECB/PKCS5Padding"));
}
public void ok() {
// ok: use-of-aes-ecb
Cipher.getInstance("AES/CBC/PKCS7PADDING");
}
}
Short Link: https://sg.run/dB2Y