Recent versions of Solr use 2048. https://github.com/apache/lucene-solr/blob/branch_8_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java#L332
Thanks for your report. On Fri, Feb 12, 2021 at 3:44 PM Mahir Kabir <mdmahiras...@vt.edu> wrote: > Hello, > > I am a Ph.D. student at Virginia Tech, USA. While working on a security > project-related work, we came across the following vulnerability in the > source code - > > In file > > https://github.com/apache/lucene-solr/blob/branch_6_6/solr/core/src/java/org/apache/solr/util/CryptoKeys.java > < > https://github.com/apache/ranger/blob/71e1dd40366c8eb8e9c498b0b5158d85d603af02/kms/src/main/java/org/apache/hadoop/crypto/key/RangerKeyStore.java > > > (at > Line 300) Key Size was set as 1024. > > *Security Impact*: > > < 2048 key size for RSA algorithm makes the system vulnerable to > brute-force attack > > *Useful resource*: > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 > https://rules.sonarsource.com/java/type/Vulnerability/RSPEC-4426 > > *Solution we suggest*: > > For RSA algorithm, the key size should be >= 2048 > > *Please share with us your opinions/comments if there is any*: > > Is the bug report helpful? > > Please let us know what you think about the issue. Any feedback will be > appreciated. > > Thank you, > Md Mahir Asef Kabir > Ph.D. Student > Department of CS > Virginia Tech >
