Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-29161: [XWIKI-19676] Update the RSA Crypto script service to use SHA256 instead of SHA1 for certificate signature

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. The XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. Administrators are advised to upgrade their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to patch the module xwiki-platform-crypto in a local installation by applying the change exposed in 26728f3 and re-compiling the module.

CVE
Open in Source
#ssl

Since September 2021, OpenSSL in version 3.0.0 discards by default certificates signed using SHA1, as techniques have been found to create collisions on SHA1 signatures.

In order to continue using SHA1-signed certificates, end users have to configure their OpenSSL installation to lower its security level, which will also allow other less-securely signed certificates to be validated by OpenSSL (this issue talks about it).

In XWiki, we use SHA1 with RSA to sign certificates with the crypto APIs by default, this task is about switching to a more robust hashing algorithm.

Looking at what is done outside, it seems that SHA256-signed certificates have become the norm, and are now used by Let’s Encrypt.

Related news

GHSA-h8v5-p258-pqf4: Use of a Broken or Risky Cryptographic Algorithm in XWiki Crypto API

### Impact XWiki Crypto API will generate X509 certificates signed by default using SHA1 with RSA, which is not considered safe anymore for use in certificate signatures, due to the risk of collisions with SHA1. Note that this API is never used in XWiki Standard but it might be used in some extensions of XWiki. ### Patches The problem has been patched in XWiki version 13.10.6, 14.3.1 and 14.4-rc-1. Since then, the Crypto API will generate X509 certificates signed by default using SHA256 with RSA. ### Workarounds Administrators are advised to upgrade their XWiki installation to one of the patched versions. If the upgrade is not possible, it is possible to patch the module xwiki-platform-crypto in a local installation by applying the change exposed in https://github.com/xwiki/xwiki-platform/commit/26728f3f23658288683667a5182a916c7ecefc52 and re-compiling the module. ### References https://jira.xwiki.org/browse/XWIKI-19676 https://github.com/openssl/openssl/blob/master/CHANGES.md?plain...

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE
CVE-2023-6905
CVE
CVE-2023-6903
CVE
CVE-2023-6904
CVE
CVE-2023-3907
CVE