Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

AI OnAI Off

Lucene search uses MD5 hashing, which is not FIPS compliant

Fixed in

EPiServer.Search 9.0.2

Created

Dec 03, 2018

Updated

Jan 28, 2019

Area

CMS Core

State

Closed, Fixed and tested

Description

The indexing service uses Lucene which, by default, uses MD5 hashing. This is not FIPS compliant.

  1. Install Episerver on a Windows server.
  2. Enable FIPS mode by updating the key at HKLM/System/CurrentControlSet/Control/Lsa/FipsAlgorithmPolicy/Enabled to "1".
  3. Restart the computer.
  4. Update the Web.config to have a FIPS accepted algorithm (<machineKey decryption="3DES" validation="SHA1" decryptionKey="AutoGenerate,IsolateApps" validationKey="AutoGenerate,IsolateApps"/> ).
  5. Generate new machine keys.
  6. Try to index using Lucene Search.

Expected:
Should work.

Actual:
Throws an exception.

NOTE: This fix includes a new setting on the indexing service configuration, fipsCompliant="true", that must be configured.