[ https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17432138#comment-17432138 ]
James Dailey commented on FINERACT-1415: ---------------------------------------- [~bgowda] if you can also link this ticket to other tickets, please do so. It helps to have related tickets get resolved. > Make sure that using this pseudorandom number generator is safe > --------------------------------------------------------------- > > Key: FINERACT-1415 > URL: https://issues.apache.org/jira/browse/FINERACT-1415 > Project: Apache Fineract > Issue Type: Improvement > Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 > Reporter: Victor Romero > Assignee: Victor Romero > Priority: Major > Labels: tech-debt > Fix For: 1.6.0 > > > [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#] > > Using pseudorandom number generators (PRNGs) is security-sensitive. For > example, it has led in the past to the following vulnerabilities: > * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386] > * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419] > * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102] > When software generates predictable values in a context requiring > unpredictability, it may be possible for an attacker to guess the next value > that will be generated, and use this guess to impersonate another user or > access sensitive information. > As the {{java.util.Random}} class relies on a pseudorandom number generator, > this class and relating {{java.lang.Math.random()}} method should not be used > for security-critical applications or for protecting sensitive data. In such > context, the {{java.security.SecureRandom}} class which relies on a > cryptographically strong random number generator (RNG) should be used in > place. -- This message was sent by Atlassian Jira (v8.3.4#803005)