Ya Xiao created CASSANDRA-16389: ----------------------------------- Summary: Using a weak Pseudo Number Generator (PRNG) Key: CASSANDRA-16389 URL: https://issues.apache.org/jira/browse/CASSANDRA-16389 Project: Cassandra Issue Type: Improvement Reporter: Ya Xiao
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it. *Vulnerability Description* In file org.apache.cassandra.gms.Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123. *Security Impact:* Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. *Useful Resources*: https://cwe.mitre.org/data/definitions/338.html *Solution we suggest* Replace it with SecureRandom *Please share with us your opinions/comments if there is any* Is the bug report helpful? -- This message was sent by Atlassian Jira (v8.3.4#803005) --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@cassandra.apache.org For additional commands, e-mail: commits-h...@cassandra.apache.org