[jira] [Commented] (FINERACT-1415) Make sure that using this pseudorandom number generator is safe
[ https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433185#comment-17433185 ] VICTOR ROMERO commented on FINERACT-1415: - Hello, Not it has been fixed in this PR https://github.com/apache/fineract/pull/1925 Regards El vie, 22 oct 2021 a las 6:03, Awasum Yannick (Jira) () > Make sure that using this pseudorandom number generator is safe > --- > > Key: FINERACT-1415 > URL: https://issues.apache.org/jira/browse/FINERACT-1415 > Project: Apache Fineract > Issue Type: Improvement >Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 >Reporter: Victor Romero >Assignee: Victor Romero >Priority: Major > Labels: tech-debt > Fix For: 1.6.0 > > > [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#] > > Using pseudorandom number generators (PRNGs) is security-sensitive. For > example, it has led in the past to the following vulnerabilities: > * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386] > * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419] > * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102] > When software generates predictable values in a context requiring > unpredictability, it may be possible for an attacker to guess the next value > that will be generated, and use this guess to impersonate another user or > access sensitive information. > As the {{java.util.Random}} class relies on a pseudorandom number generator, > this class and relating {{java.lang.Math.random()}} method should not be used > for security-critical applications or for protecting sensitive data. In such > context, the {{java.security.SecureRandom}} class which relies on a > cryptographically strong random number generator (RNG) should be used in > place. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1415) Make sure that using this pseudorandom number generator is safe
[ https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17433186#comment-17433186 ] VICTOR ROMERO commented on FINERACT-1415: - *now El vie, 22 oct 2021 a las 19:02, VICTOR MANUEL ROMERO RODRIGUEZ (< > Make sure that using this pseudorandom number generator is safe > --- > > Key: FINERACT-1415 > URL: https://issues.apache.org/jira/browse/FINERACT-1415 > Project: Apache Fineract > Issue Type: Improvement >Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 >Reporter: Victor Romero >Assignee: Victor Romero >Priority: Major > Labels: tech-debt > Fix For: 1.6.0 > > > [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#] > > Using pseudorandom number generators (PRNGs) is security-sensitive. For > example, it has led in the past to the following vulnerabilities: > * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386] > * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419] > * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102] > When software generates predictable values in a context requiring > unpredictability, it may be possible for an attacker to guess the next value > that will be generated, and use this guess to impersonate another user or > access sensitive information. > As the {{java.util.Random}} class relies on a pseudorandom number generator, > this class and relating {{java.lang.Math.random()}} method should not be used > for security-critical applications or for protecting sensitive data. In such > context, the {{java.security.SecureRandom}} class which relies on a > cryptographically strong random number generator (RNG) should be used in > place. -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Commented] (FINERACT-1415) Make sure that using this pseudorandom number generator is safe
[ https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17432912#comment-17432912 ] Awasum Yannick commented on FINERACT-1415: -- [~victorromero], This looks like it was merged and then reverted? I dont know if we need to close this or leave it open... let us know... > Make sure that using this pseudorandom number generator is safe > --- > > Key: FINERACT-1415 > URL: https://issues.apache.org/jira/browse/FINERACT-1415 > Project: Apache Fineract > Issue Type: Improvement >Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0 >Reporter: Victor Romero >Assignee: Victor Romero >Priority: Major > Labels: tech-debt > Fix For: 1.6.0 > > > [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#] > > Using pseudorandom number generators (PRNGs) is security-sensitive. For > example, it has led in the past to the following vulnerabilities: > * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386] > * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419] > * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102] > When software generates predictable values in a context requiring > unpredictability, it may be possible for an attacker to guess the next value > that will be generated, and use this guess to impersonate another user or > access sensitive information. > As the {{java.util.Random}} class relies on a pseudorandom number generator, > this class and relating {{java.lang.Math.random()}} method should not be used > for security-critical applications or for protecting sensitive data. In such > context, the {{java.security.SecureRandom}} class which relies on a > cryptographically strong random number generator (RNG) should be used in > place. -- This message was sent by Atlassian Jira (v8.3.4#803005)