Bazel allows users to use sha1 Hash for Jar Verification #8880
Comments
laurentlb
added
the
P0
|
Related: #6799 The vulnerability affects the function |
The native |
|
I think the next steps are:
|
|
This is not a security bug, and and not a vulnerability. sha1 function and maven_jar exist in Bazel, similar to how SHA1 functions are available to Java , C++ and other major languages. Its existence does not constitute vulnerability - if users do not want to use it, they are free to not to. |
dslomov
added
P2
dslomov
changed the title
|
At least, the documentation is misleading:
It is also a security risk to specify SHA-1, as far as I understand. |
|
Should a CVE be issued for this report? |
…of security as a cryptographic hash. See #8880. RELNOTES: None. PiperOrigin-RevId: 258186415
|
We have added guidance in the documentation that SHA-1 is no longer considered a strong cryptographic hash, but it is still better than not using any. We have also added a recommendation to switch from See https://docs.bazel.build/versions/master/be/workspace.html#maven_jar.sha1 for more information. Based on the above, I believe we have achieved remediation ("Add and recommend usage of stronger hashes (e.g. sha256)") and we can close this issue. The next steps from here will be to remove the |
..and print warnings if sha256 or sha256_src aren't used, like this: > `WARNING: /usr/local/google/home/jingwen/code/copybara/WORKSPACE:192:1: maven_jar rule @junit//jar: Not using a checksum to verify the integrity of the artifact or the usage of SHA-1 is not secure (see https://shattered.io) and can result in an non-reproducible build. Please specify the SHA-256 checksum with: sha256 = "90a8e1603eeca48e7e879f3afbc9560715322985f39a274f6f6070b43f9d06fe",` > `WARNING: /usr/local/google/home/jingwen/code/copybara/WORKSPACE:192:1: maven_jar rule @junit//jar: Not using a checksum to verify the integrity of the artifact or the usage of SHA-1 is not secure (see https://shattered.io) and can result in an non-reproducible build. Please specify the SHA-256 checksum with: sha256_src = "694f4694a51f67dadea4d2045742d38fb4efb92d82d42744b15e26ce653bcd3e",` The warning message is designed to be copy paste-able directly into the WORKSPACE file. #6799 #8880 RELNOTES: Added `sha256` and `sha256_src` attributes to `maven_jar`. Please consider migrating to SHA-256 as SHA-1 has been deemed cryptographically insecure ([https://shattered.io]()). Or, use [`rules_jvm_external`](https://github.com/bazelbuild/rules_jvm_external) to manage your transitive Maven dependencies with artifact pinning and SHA-256 verification support. Closes #9237. Change-Id: I17ef2f88911efbb4527303b1dc1bcb827cc5e308 PiperOrigin-RevId: 265530046
philwo
added
the
team-OSS
philwo
removed
the
team-OSS
… of security as a cryptographic hash.
See bazelbuild/bazel#8880.
RELNOTES: None.
PiperOrigin-RevId: 258186415
This is a public disclosure of a 0-day vulnerability in Bazel that has not been fixed within the 90-day vulnerability disclosure window given to the Google security team.
The original report to the Google Security Team can be found here:
https://issuetracker.google.com/issues/130163464
Summary: CWE-327: Use of a Broken or Risky Cryptographic Algorithm for Security Verification of Build Dependencies
Bazel's build uses SHA-1 hashes to verify the integrity of build artifacts resolved from artifact servers to ensure that they haven't been maliciously compromised.
https://docs.bazel.build/versions/master/be/workspace.html#maven_jar_args
The specific quote that's important here is "It is a security risk to omit the SHA-1 as remote files can change."
According to Wikipedia: https://en.wikipedia.org/wiki/SHA-1
"Since 2005 SHA-1 has not been considered secure against well-funded opponents"
A practical SHA-1 attack has been demonstrated by Google:
https://shattered.io/
I want to note that some uses of Bazel I've found in Non-Google public repositories are using HTTP to resolve dependencies from artifact server, thus opening them to MITM attacks where an SHA-1 collision artifact is served. See #8607
Attack scenario:
Large, well-funded organizations with the capabilities to invest lots of CPU time into this attack.
https://shattered.io/
By creating an SHA-1 collision of some JAR file, hacking a popular artifact server (like JFrog or Maven Central) and replacing those artifacts, Bazel users may be using maliciously compromised artifacts without knowing that's what they are doing.
The second preimage attack now only costs ~$100,000 according to new research published May 13th, 2019.
As such, this attack is now financially feasible against the Basel Build Infrastructure. Such an attack would only cost ~ the average 1 year salary of your average software engineer in the US.
The text was updated successfully, but these errors were encountered: