[jira] [Comment Edited] (CASSANDRA-16389) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17270799#comment-17270799 ] Ya Xiao edited comment on CASSANDRA-16389 at 1/24/21, 2:06 AM: --- Thank you so much for replying. We agree that this bug detector is unable to know the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art. # What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected? # Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to? # For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it? # What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful? was (Author: yaxiao): Thank you so much for replying. We agree that this reported case is unable to know the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art. # What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected? # Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to? # For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it? # What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful? > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement > Components: Cluster/Gossip >Reporter: Ya Xiao >Priority: Low > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file > [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java], > use java.util.Random instead of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Commented] (CASSANDRA-16389) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel=17270799#comment-17270799 ] Ya Xiao commented on CASSANDRA-16389: - Thank you so much for replying. We agree that this reported case is unable to know the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art. # What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected? # Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to? # For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it? # What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful? > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement > Components: Cluster/Gossip >Reporter: Ya Xiao >Priority: Low > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file > [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java], > use java.util.Random instead of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-16389) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ya Xiao updated CASSANDRA-16389: Description: We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description* In file [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java], use java.util.Random instead of java.security.SecureRandom at Line 123. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: [https://cwe.mitre.org/data/definitions/338.html] *Solution we suggest* Replace it with SecureRandom *Please share with us your opinions/comments if there is any* Is the bug report helpful? was: We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description* In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: https://cwe.mitre.org/data/definitions/338.html *Solution we suggest* Replace it with SecureRandom *Please share with us your opinions/comments if there is any* Is the bug report helpful? > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement >Reporter: Ya Xiao >Priority: Normal > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file > [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java], > use java.util.Random instead of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-16389) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ya Xiao updated CASSANDRA-16389: Summary: Using a cryptographically weak Pseudo Random Number Generator (PRNG) (was: Using a cryptographically weak Pseudo Number Generator (PRNG)) > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement >Reporter: Ya Xiao >Priority: Normal > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead > of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > https://cwe.mitre.org/data/definitions/338.html > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Updated] (CASSANDRA-16389) Using a cryptographically weak Pseudo Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ya Xiao updated CASSANDRA-16389: Summary: Using a cryptographically weak Pseudo Number Generator (PRNG) (was: Using a weak Pseudo Number Generator (PRNG)) > Using a cryptographically weak Pseudo Number Generator (PRNG) > - > > Key: CASSANDRA-16389 > URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 > Project: Cassandra > Issue Type: Improvement >Reporter: Ya Xiao >Priority: Normal > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description* > In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead > of java.security.SecureRandom at Line 123. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > https://cwe.mitre.org/data/definitions/338.html > *Solution we suggest* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
[jira] [Created] (CASSANDRA-16389) Using a weak Pseudo Number Generator (PRNG)
Ya Xiao created CASSANDRA-16389: --- Summary: Using a weak Pseudo Number Generator (PRNG) Key: CASSANDRA-16389 URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 Project: Cassandra Issue Type: Improvement Reporter: Ya Xiao We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description* In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: https://cwe.mitre.org/data/definitions/338.html *Solution we suggest* Replace it with SecureRandom *Please share with us your opinions/comments if there is any* Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) - To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org
