[ 
https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17431330#comment-17431330
 ] 

Victor Romero commented on FINERACT-1415:
-----------------------------------------

Not it has been fixed with this PR https://github.com/apache/fineract/pull/1908

> Make sure that using this pseudorandom number generator is safe
> ---------------------------------------------------------------
>
>                 Key: FINERACT-1415
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1415
>             Project: Apache Fineract
>          Issue Type: Improvement
>            Reporter: Victor Romero
>            Assignee: Victor Romero
>            Priority: Major
>
> [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
>  
> Using pseudorandom number generators (PRNGs) is security-sensitive. For 
> example, it has led in the past to the following vulnerabilities:
>  * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
>  * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
>  * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
> When software generates predictable values in a context requiring 
> unpredictability, it may be possible for an attacker to guess the next value 
> that will be generated, and use this guess to impersonate another user or 
> access sensitive information.
> As the {{java.util.Random}} class relies on a pseudorandom number generator, 
> this class and relating {{java.lang.Math.random()}} method should not be used 
> for security-critical applications or for protecting sensitive data. In such 
> context, the {{java.security.SecureRandom}} class which relies on a 
> cryptographically strong random number generator (RNG) should be used in 
> place.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to