java.lang.security.audit.crypto.use-of-default-aes.use-of-default-aes
semgrepAuthor
unknown
Download Count*
License
Use of AES with no settings detected. By default, java.crypto.Cipher uses ECB mode. ECB doesn't provide message confidentiality and is not semantically secure so should not be used. Instead, use a strong, secure cipher: java.crypto.Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-default-aes
pattern-either:
- patterns:
- pattern-either:
- pattern-inside: |
import javax;
...
- pattern-either:
- pattern: javax.crypto.Cipher.getInstance("AES")
- pattern: (javax.crypto.Cipher $CIPHER).getInstance("AES")
- patterns:
- pattern-either:
- pattern-inside: |
import javax.*;
...
- pattern-inside: |
import javax.crypto;
...
- pattern-either:
- pattern: crypto.Cipher.getInstance("AES")
- pattern: (crypto.Cipher $CIPHER).getInstance("AES")
- patterns:
- pattern-either:
- pattern-inside: |
import javax.crypto.*;
...
- pattern-inside: |
import javax.crypto.Cipher;
...
- pattern-either:
- pattern: Cipher.getInstance("AES")
- pattern: (Cipher $CIPHER).getInstance("AES")
metadata:
functional-categories:
- crypto::search::mode::javax.crypto
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: "Use of AES with no settings detected. By default, java.crypto.Cipher
uses ECB mode. ECB doesn't provide message confidentiality and is not
semantically secure so should not be used. Instead, use a strong, secure
cipher: java.crypto.Cipher.getInstance(\"AES/CBC/PKCS7PADDING\"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information."
severity: WARNING
languages:
- java
Examples
use-of-default-aes.java
import javax;
import javax.*;
// import javax.crypto;
import javax.crypto.*;
// import javax.crypto.Cipher;
class AES{
public void useofAES() {
// ruleid: use-of-default-aes
Cipher.getInstance("AES");
// ruleid: use-of-default-aes
crypto.Cipher.getInstance("AES");
// ruleid: use-of-default-aes
javax.crypto.Cipher.getInstance("AES");
// ok: use-of-default-aes
KeyGenerator.getInstance("AES");
// ok: use-of-default-aes
crypto.KeyGenerator.getInstance("AES");
// ok: use-of-default-aes
javax.crypto.KeyGenerator.getInstance("AES");
}
public void useofAES2() {
// ruleid: use-of-default-aes
useCipher(Cipher.getInstance("AES"));
// ruleid: use-of-default-aes
useCipher(crypto.Cipher.getInstance("AES"));
// ruleid: use-of-default-aes
useCipher(javax.crypto.Cipher.getInstance("AES"));
// ok: use-of-default-aes
useCipher(KeyGenerator.getInstance("AES"));
// ok: use-of-default-aes
useCipher(crypto.KeyGenerator.getInstance("AES"));
// ok: use-of-default-aes
useCipher(javax.crypto.KeyGenerator.getInstance("AES"));
}
public void ok() {
// ok: use-of-default-aes
Cipher.getInstance("AES/CBC/PKCS7PADDING");
// ok: use-of-default-aes
crypto.Cipher.getInstance("AES/CBC/PKCS7PADDING");
// ok: use-of-default-aes
javax.crypto.Cipher.getInstance("AES/CBC/PKCS7PADDING");
// ok: use-of-default-aes
KeyGenerator.getInstance("AES/CBC/PKCS7PADDING");
// ok: use-of-default-aes
crypto.KeyGenerator.getInstance("AES/CBC/PKCS7PADDING");
// ok: use-of-default-aes
javax.crypto.KeyGenerator.getInstance("AES/CBC/PKCS7PADDING");
}
}
Short Link: https://sg.run/nzKO