[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Flink Jira Bot updated FLINK-20996: --- Labels: auto-deprioritized-major auto-deprioritized-minor (was: auto-deprioritized-major stale-minor) Priority: Not a Priority (was: Minor) This issue was labeled "stale-minor" 7 days ago and has not received any updates so it is being deprioritized. If this ticket is actually Minor, please raise the priority and ask a committer to assign you the issue or revive the public discussion. > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Not a Priority > Labels: auto-deprioritized-major, auto-deprioritized-minor > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.20.1#820001)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Flink Jira Bot updated FLINK-20996: --- Labels: auto-deprioritized-major stale-minor (was: auto-deprioritized-major) I am the [Flink Jira Bot|https://github.com/apache/flink-jira-bot/] and I help the community manage its development. I see this issues has been marked as Minor but is unassigned and neither itself nor its Sub-Tasks have been updated for 180 days. I have gone ahead and marked it "stale-minor". If this ticket is still Minor, please either assign yourself or give an update. Afterwards, please remove the label or in 7 days the issue will be deprioritized. > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Minor > Labels: auto-deprioritized-major, stale-minor > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Flink Jira Bot updated FLINK-20996: --- Priority: Minor (was: Major) > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Minor > Labels: auto-deprioritized-major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Flink Jira Bot updated FLINK-20996: --- Labels: auto-deprioritized-major (was: stale-major) > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Major > Labels: auto-deprioritized-major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Flink Jira Bot updated FLINK-20996: --- Labels: stale-major (was: ) > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Major > Labels: stale-major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Metzger updated FLINK-20996: --- Component/s: Runtime / State Backends > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement > Components: Runtime / State Backends >Reporter: Ya Xiao >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)
[jira] [Updated] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/FLINK-20996?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Ya Xiao updated FLINK-20996: Description: We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description:* {color:#172b4d}In file {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] use java.util.Random instead of java.security.SecureRandom at Line 39. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: [https://cwe.mitre.org/data/definitions/338.html] *Solution we suggest:* Replace it with SecureRandom *Please share with us your opinions/comments if there is any:* Is the bug report helpful? was: We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description:* {color:#172b4d}In file flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java{color}, use java.util.Random instead of java.security.SecureRandom at Line 39. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: [https://cwe.mitre.org/data/definitions/338.html] *Solution we suggest:* Replace it with SecureRandom *Please share with us your opinions/comments if there is any:* Is the bug report helpful? > Using a cryptographically weak Pseudo Random Number Generator (PRNG) > > > Key: FLINK-20996 > URL: https://issues.apache.org/jira/browse/FLINK-20996 > Project: Flink > Issue Type: Improvement >Reporter: Ya Xiao >Priority: Major > > We are a security research team at Virginia Tech. We are doing an empirical > study about the usefulness of the existing security vulnerability detection > tools. The following is a reported vulnerability by certain tools. We'll so > appreciate it if you can give any feedback on it. > *Vulnerability Description:* > {color:#172b4d}In file > {color}[flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java,|https://github.com/apache/flink/blob/97bfd049951f8d52a2e0aed14265074c4255ead0/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java] > use java.util.Random instead of java.security.SecureRandom at Line 39. > *Security Impact:* > Java.util.Random is not cryptographically strong and may expose sensitive > information to certain types of attacks when used in a security context. > *Useful Resources*: > [https://cwe.mitre.org/data/definitions/338.html] > *Solution we suggest:* > Replace it with SecureRandom > *Please share with us your opinions/comments if there is any:* > Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005)