[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Ya Xiao updated CASSANDRA-16389: -------------------------------- Summary: Using a cryptographically weak Pseudo Random Number Generator (PRNG) (was: Using a cryptographically weak Pseudo Number Generator (PRNG)) > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > -------------------------------------------------------------------- > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement > Reporter: Ya Xiao > Priority: Normal > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead > of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > https://cwe.mitre.org/data/definitions/338.html > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org