Missing Optimal Asymmetric Encryption Padding (OAEP)

• Rule ID: java_lang_rsa_no_padding
• Languages: java
• Source: rsa_no_padding.yml

Description

The RSA encryption algorithm becomes vulnerable without Optimal Asymmetric Encryption Padding (OAEP). This vulnerability can lead to security risks such as information disclosure.

Remediations

• Do always use OAEP with RSA encryption to enhance security and mitigate vulnerabilities.

  Cipher cipher = Cipher.getInstance("RSA/ECB/OAEPWithMD5AndMGF1Padding")

References

• Java MessageDigest class

Associated CWE

• CWE-780: Use of RSA Algorithm without OAEP

OWASP Top 10

• A02:2021 - Cryptographic Failures

Configuration

To skip this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --skip-rule=java_lang_rsa_no_padding

To run only this rule during a scan, use the following flag

bearer scan /path/to/your-project/ --only-rule=java_lang_rsa_no_padding