By default, passwords of Content Server builtin users and of Elastic Social users are stored using the BCrypt password hashing algorithm from Spring Security with a work factor of 10. There's a security vulnerability in Spring Security (CVE-2022-22976 ) that makes hashes less secure, if you have changed the default configuration to use work factor 31 with configuration property cap.server.login.password-hash-algorithm for the Content Server or property elastic.social.password-hash-algorithm for Elastic Social . You don't need to take action, if you are using the default configuration or a BCrypt work factor less than 31.

With this release, the configuration of work factor of 31 is not accepted anymore. Content Server and Elastic Social applications will fail to start, if such a work factor is configured. Note, that it would be an unreasonable choice anyway, because it would require multiple days to compute a single hash. If you had configured work factor 31, then you must change the configuration in the mentioned configuration properties, for example to the default work factor of 10, or a slightly higher one. The passwords of all users that were stored with work factor 31 are still working but should be changed to store them more securely. For details, see also the description of the CVE at https://tanzu.vmware.com/security/cve-2022-22976 .

(CMS-21792)