Ya Xiao created CASSANDRA-16389:
-----------------------------------
Summary: Using a weak Pseudo Number Generator (PRNG)
Key: CASSANDRA-16389
URL: https://issues.apache.org/jira/browse/CASSANDRA-16389
Project: Cassandra
Issue Type: Improvement
Reporter: Ya Xiao
We are a security research team at Virginia Tech. We are doing an empirical
study about the usefulness of the existing security vulnerability detection
tools. The following is a reported vulnerability by certain tools. We'll so
appreciate it if you can give any feedback on it.
*Vulnerability Description*
In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead of
java.security.SecureRandom at Line 123.
*Security Impact:*
Java.util.Random is not cryptographically strong and may expose sensitive
information to certain types of attacks when used in a security context.
*Useful Resources*:
https://cwe.mitre.org/data/definitions/338.html
*Solution we suggest*
Replace it with SecureRandom
*Please share with us your opinions/comments if there is any*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
