[
https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17270799#comment-17270799
]
Ya Xiao edited comment on CASSANDRA-16389 at 1/24/21, 2:06 AM:
---------------------------------------------------------------
Thank you so much for replying. We agree that this bug detector is unable to
know the context. There might be a gap between the tools and the demands in
practices. We want to collect some information to narrow down the gap. We'll so
appreciate it if you can share some opinions about the following questions.
Your feedback is important for us to help improve the state-of-the-art.
# What kind of supports do you think are necessary for a bug detector to be
useful in practices? Take this as an example, maybe a more accurate context or
demonstration of exploits is expected?
# Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
# For a verified bug/vulnerability, what kind of supports/features do you
expect to help fix it?
# What kind of bug checker/vulnerability detection tools you are using? Do you
think they are helpful?
was (Author: yaxiao):
Thank you so much for replying. We agree that this reported case is unable to
know the context. There might be a gap between the tools and the demands in
practices. We want to collect some information to narrow down the gap. We'll so
appreciate it if you can share some opinions about the following questions.
Your feedback is important for us to help improve the state-of-the-art.
# What kind of supports do you think are necessary for a bug detector to be
useful in practices? Take this as an example, maybe a more accurate context or
demonstration of exploits is expected?
# Are there any types of bugs/security vulnerabilities you want the detection
tools to pay more attention to?
# For a verified bug/vulnerability, what kind of supports/features do you
expect to help fix it?
# What kind of bug checker/vulnerability detection tools you are using? Do you
think they are helpful?
> Using a cryptographically weak Pseudo Random Number Generator (PRNG)
> --------------------------------------------------------------------
>
> Key: CASSANDRA-16389
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16389
> Project: Cassandra
> Issue Type: Improvement
> Components: Cluster/Gossip
> Reporter: Ya Xiao
> Priority: Low
>
> We are a security research team at Virginia Tech. We are doing an empirical
> study about the usefulness of the existing security vulnerability detection
> tools. The following is a reported vulnerability by certain tools. We'll so
> appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file
> [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java],
> use java.util.Random instead of java.security.SecureRandom at Line 123.
> *Security Impact:*
> Java.util.Random is not cryptographically strong and may expose sensitive
> information to certain types of attacks when used in a security context.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html]
> *Solution we suggest*
> Replace it with SecureRandom
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org
For additional commands, e-mail: commits-h...@cassandra.apache.org
