java.lang.security.audit.crypto.use-of-rc4.use-of-rc4
semgrep
Author
unknown
Download Count*
License
Use of RC4 was detected. RC4 is vulnerable to several attacks, including stream cipher attacks and bit flipping attacks. Instead, use a strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions for more information.
Run Locally
Run in CI
Defintion
rules:
- id: use-of-rc4
pattern: $CIPHER.getInstance("RC4")
metadata:
functional-categories:
- crypto::search::symmetric-algorithm::javax.crypto
cwe:
- "CWE-327: Use of a Broken or Risky Cryptographic Algorithm"
owasp:
- A03:2017 - Sensitive Data Exposure
- A02:2021 - Cryptographic Failures
category: security
technology:
- java
references:
- https://owasp.org/Top10/A02_2021-Cryptographic_Failures
- https://googleprojectzero.blogspot.com/2022/10/rc4-is-still-considered-harmful.html
subcategory:
- vuln
likelihood: MEDIUM
impact: MEDIUM
confidence: HIGH
license: Commons Clause License Condition v1.0[LGPL-2.1-only]
vulnerability_class:
- Cryptographic Issues
message: 'Use of RC4 was detected. RC4 is vulnerable to several attacks,
including stream cipher attacks and bit flipping attacks. Instead, use a
strong, secure cipher: Cipher.getInstance("AES/CBC/PKCS7PADDING"). See
https://owasp.org/www-community/Using_the_Java_Cryptographic_Extensions
for more information.'
severity: WARNING
languages:
- java
Examples
use-of-rc4.java
class RC4{
public void useofRC4() {
// ruleid: use-of-rc4
Cipher.getInstance("RC4");
}
public void useofRC4b() {
// ruleid: use-of-rc4
useCipher(Cipher.getInstance("RC4"));
}
public void ok() {
// ok: use-of-rc4
Cipher.getInstance("AES/CBC/PKCS7PADDING");
}
}
Short Link: https://sg.run/7OYR