[ 
https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17432138#comment-17432138
 ] 

James Dailey commented on FINERACT-1415:
----------------------------------------

[~bgowda] if you can also link this ticket to other tickets, please do so.  It 
helps to have related tickets get resolved.  

> Make sure that using this pseudorandom number generator is safe
> ---------------------------------------------------------------
>
>                 Key: FINERACT-1415
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1415
>             Project: Apache Fineract
>          Issue Type: Improvement
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0
>            Reporter: Victor Romero
>            Assignee: Victor Romero
>            Priority: Major
>              Labels: tech-debt
>             Fix For: 1.6.0
>
>
> [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
>  
> Using pseudorandom number generators (PRNGs) is security-sensitive. For 
> example, it has led in the past to the following vulnerabilities:
>  * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
>  * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
>  * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
> When software generates predictable values in a context requiring 
> unpredictability, it may be possible for an attacker to guess the next value 
> that will be generated, and use this guess to impersonate another user or 
> access sensitive information.
> As the {{java.util.Random}} class relies on a pseudorandom number generator, 
> this class and relating {{java.lang.Math.random()}} method should not be used 
> for security-critical applications or for protecting sensitive data. In such 
> context, the {{java.security.SecureRandom}} class which relies on a 
> cryptographically strong random number generator (RNG) should be used in 
> place.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to