Jasypt-Spring-Boot Password Hash Handler Predictable Salt Vulnerability

A vulnerability exists in the Jasypt-Spring-Boot library, specifically in versions up to 3.0.5 and 4.0.4, within the Password Hash Handler component. The issue arises because the function responsible for generating salt for key derivation defaults to a deterministic zero-salt when the user does not provide a custom salt. This predictable salt, combined with a low iteration count for the PBKDF2 key derivation process, creates weak cryptographic defaults that can be exploited. The vulnerability allows for cross-deployment key reuse and offline brute-force attacks against weak master passwords.

Impact

Exploitation of this vulnerability leads to cross-deployment reuse of AES-256 encryption keys, allowing ciphertext from one deployment to be decrypted in another. Additionally, the fixed zero-salt enables offline dictionary or rainbow-table attacks against weak master passwords, with the default PBKDF2 iteration count of 1000 being insufficient for security.

Reproduction

The vulnerability can be reproduced by using Jasypt-Spring-Boot version 4.0.5-SNAPSHOT with the default configuration, which includes a master password but no custom salt. This can be done by omitting the 'jasypt.encryptor.gcm-secret-key-salt' property, which defaults to zero, and using a weak master password. Once the application is running, the vulnerability can be demonstrated by encrypting a value with the Jasypt String Encryptor and then decrypting it in a different deployment that uses the same master password, showing that the same AES key is used in both cases.

Remediation

Users can manually set 'jasypt.encryptor.gcm-secret-key-salt' to a random value in base64 format to avoid the zero-salt default. It is also recommended to raise the PBKDF2 iteration count to 600,000, in line with current OWASP guidelines.