https://bz.apache.org/bugzilla/show_bug.cgi?id=69607
Bug ID: 69607
Summary: MD5 algorithm insecure usage in tomcat-util
Product: Tomcat 11
Version: 11.0.4
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: Util
Assignee: dev@tomcat.apache.org
Reporter: sve...@redseal.net
Target Milestone: -------
We have identified that tomcat-util is using MD5 algorithm which is not
considered secure in FIPS-140.3 mode. In FIPS mode server startup fails because
of MD5 usage in tomcat-util.
The issue arises because tomcat-util uses the MD5 algorithm for initialization
in the ConcurrentMessageDigest class, located in the tomcat/util/security
folder.
This is located in static block during initialization and cannot be
circumvented.
Can we submit a patch to remove initialization of MD5 algorithm from static
block of tomcat-util? SHA-1 can be used which is more secure algorithm and is
compatible with FIPS-140.3 mode.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
