Is Spring Security's BCrypt implementation vulnerable?

A security audit at our company found that the prefix of our bcrypt hashes are "$2a$". According to [1] and [2] this could indicate that an older, vulnerable bcrypt implementation is used.

So - here my questions:

  1. Does Spring Security's bcrypt implementation contain the vulnerability?
  2. Does Spring Security support the "$2x$" and "$2y$" prefixes?


-------------Problems Reply------------

  1. The links you provide is about a vulnerability in the C implementation of BCrypt. The Spring Security implementation is a fork of jBCrypt, which is a different implementation written in Java.
  2. Looking at the source code, as of version 3.2.5, Spring Security doesn't support "$2x$" and "$2y$" prefixes. The implementation does not contain the C vulnerability but it is not inter-operable with current C based implementation (like PHP).
Category:spring security Views:0 Time:2018-02-11

Related post

  • Spring Security: how to implement Brute Force Detection (BFD)? 2010-04-21

    My web applications security is handled by Spring Security 3.02 but I can't find any out of the box support for Brute Force Detection. I would like to implement some application level BFD protection. For example by storing failed login attempt per us

  • Spring security LDAP compatible implementations 2010-06-22

    I've written a web applciation for a client in which authentication/authorization is done by spring security based on the 'internal' database. Now, the client has asked to switch to using their Active Directory instead. I'm a green as can be where LD

  • Spring Security with Struts 2 - redirect to different page based on User Role 2011-02-22

    I am able to authenticate the user from the database but there are different users in my app so I want to redirect them to their different homepages based on their Role. The best way I guess would be by checking the user role in a struts action and t

  • Spring security authentication management vulnerability 2012-04-20

    Spring documentation says that remember me is implemented by storing following information in cookie - base64(username + ":" + expirationTime + ":" + md5Hex(username + ":" + expirationTime + ":" password + ":" + key)) I have following confusions - Wh

  • How to implement login page using Spring Security so that it works with Spring web flow? 2010-05-21

    I have a web application using Spring 2.5.6 and Spring Security 2.0.4. I have implemented a working login page, which authenticates the user against a web service. The authentication is done by defining a custom authentincation manager, like this:

  • How can I configure Spring Security to use custom AuthenticationManager implementation? 2010-06-29

    What I have is: <authentication-manager alias="authenticationManager"> <authentication-provider user-service-ref="securityService"/> </authentication-manager> As I understand, the default AuthenticationManager implementation is used

  • Implement SSO using CAS + Spring Security 2010-07-19

    I'm trying to implement SSO across several web applications using CAS and Spring Security. Expected case: CAS - http:// localhost:8080/cas/ App A protected content - http: //localhost:8081/cas-client1/secure/index.html App B protected content - http:

  • Any reference for implementation of 2-legged oauth with spring security? 2010-07-23

    Any reference for implementation of 2-legged oauth with spring security ? --------------Solutions------------- You've asked an open question, so there are some links I can point you to

  • Howto implement Spring Security User/Authorities with Hibernate/JPA2? 2010-09-12

    I am trying to implement DAOs to work with Spring Security database authentication in Hibernate/JPA2. Spring uses following relations and associations in order to represent user & roles: repesented as postgresql create query: CREATE TABLE users (

  • How to Implement Login Throttling with Spring Security? 2010-12-09

    I'm trying to find out how to throttle logins ( with Spring Security. Does anybody has some idea? --------------Solutions------------- Check out this write-up where the author progra

  • How to implement [save password] in the login page with spring security 3 2011-03-14

    How to stored the login form's value in cookies with spring security 3. Customer requiredment↓ If you checked the [save password] checkbox in login page and next time the password will fill automatically. I think i must stored the checkbox value when

  • Implementing OAuth in Spring Security 2011-05-03

    How do I implement OAuth in Spring Security? --------------Solutions------------- Follow through this tutorial: Once you've checked out the code and run it you should be able to see how all the

  • spring security oauth implementation 2011-05-05

    I downloaded the sample project from and tried to implement for my trialsite Below is my dispatched xml <bean id="urlMapping" class="org.springframework.web.servlet.handler.SimpleUrlHandlerMa

  • Problem while implementing HttpSessionLister with Spring-Security 2011-09-07

    I am using Spring/Hibernate and Spring-Security for my web-based application. Now I have a requirement where I need to perform some database query at sessionDestroy method of HtppSessionLister. Inside web.xml : <listener> <listener-class>

  • Spring security database implementation exception 2011-10-19

    I followed the thread in stack overflow to implemt this, but i am getting some error while i use that solution in my code. org.springframework.beans.factory.BeanCreationException: Error creating bean with name '

  • How to implement Spring Security "Digest Authentication" 2011-10-24

    Can any one please tell me how can I once authenticate my client application with Spring Security "Digest Authentication" and maintain that session until log-out. My client is not a form base one it was Rest base one, that mean I want to authenticate

  • Implement custom AuthenticationProvider in Spring Security 2.06 2011-12-27

    I'm using Spring Security to secure a Struts2 web application. Due to project constraints, I'm using Spring Security 2.06. My team built a custom User Management API that authenticates a user after taking in username and password parameters, and retu

  • Implement No Cache using Spring Security 2012-02-03

    I would like to know as to how can I implement a No Cache functionality using Spring Security. That is , when a user logs out of the application he/she can always make use of the browser back button to visit the previous pages. I want to prevent this

  • Why Spring Security OAuth 2.0 owns much more classes than google OAuth 2.0 implementation? 2012-02-09

    I am evaluating OAuth opensource implemenations for my project. I find out Spring Security OAuth 2.0 has more classes than google implementation. Here is the statistics: Spring: 42 classes for provider pakcage, 34 classes for consumer pakcage, 31 for

  • Implementation of Spring Security 3.1 across multiple domains, service bus and applications 2012-02-16

    I am trying to find a good way to implement Spring Security 3.1 across all my applications and my service bus. Service Bus: REST-services talking with the DB. This is also where all the user information is coming from. Other applications (war's): I w

  • Implementing PKI authentication in Spring Security 2012-03-06

    I'm trying to figure out where and how I can implement PKI authentication in an existing Spring Security implementation. I changed my configuration of my server.xml in tomcat to have two Connectors to handle "normal" username and password authenticat

  • Spring Security CAS implementation in web service 2012-04-25

    Our team has been tasked with securing a web service somehow, now we have other web application that are secured with SpringSecurity CAS, and we were thinking that it would work to secure the web service with this as well. The thought being that if t

  • How to implement session for the user logged in GRAILS( Spring security)? 2012-05-01

    HOW to implement session for the user logged in THIS IS THE CODE I HAVE IMPLEMENTED def user=User.findByUserId(params.userId) if(user) { def sessionUser=user def constSessionUser=sessionUser constSessionId=sessionId .........

  • How do you create new objects and their respective permissions using Spring Security ACL's default implementation? 2014-07-10

    I have a fully functioning RESTful API which uses Basic Authentication to secure objects via spring security acl. I used this tutorial as a guide, The tutorial does not co

Copyright (C), All Rights Reserved.

processed in 0.138 (s). 11 q(s)