David Camilo Espitia Manrique created MATH-1182:
---------------------------------------------------
Summary: BUG - Insufficient Entropy in Commons-math3-3.3
Key: MATH-1182
URL: https://issues.apache.org/jira/browse/MATH-1182
Project: Commons Math
Issue Type: Bug
Affects Versions: 3.3
Reporter: David Camilo Espitia Manrique
Fix For: 3.3
We are currently using Commons-math3-3.3 and in the analysis for veracode,
found this bug in these class:
1. FastMath.java (Line 813)
2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
3. UniformIntegerDistribution.java (Line 164 and Line 172)
Type : Insufficient Entropy
Description:
Standard random number generators do not provide a sufficient amount of entropy
when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such as
rand().
Recommendations:
If this random number is used where security is a concern, such as generating a
session key or session identifier, use
a trusted cryptographic random number generator instead. These can be found on
the Windows platform in the
CryptoAPI or in an open source library such as OpenSSL.
Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
