camel-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Kulp <dk...@apache.org>
Subject Re: camel pull request: VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID...
Date Fri, 27 Dec 2013 13:40:01 GMT


I’m really against committing this.  

It involves flipping from Random to SecureRandom for a bunch of places that do not require
or need the security aspects of SecrureRandom.   Randomly selecting the next server for load
balancing and the redelivery stuff certainly does NOT require the full secure randomness.
  

However, using SecureRandom in theses cases would then start consuming system entropy that
could then be needed for cases where it IS required, like cryptography.    Without that entropy
available, it could severely slow down or hang some of the cryptography cases.

The veracode notice explicitely says:

>  If this random number is used where security is a concern, such as generating a session
key or session identifier


which is NOT the case here.   Thus, this is not a concern.


Dan



On Dec 26, 2013, at 7:47 AM, MrLion <git@git.apache.org> wrote:

> GitHub user MrLion opened a pull request:
> 
>    https://github.com/apache/camel/pull/80
> 
>    VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID 331)
> 
>    During Veracode scan of our application we discover several warnings in Camel. Please
review our fix and apply it if it make sance.
> 
>    Quote from Veracode report below:
>    Insufficient Entropy (CWE ID 331)(7 flaws)
>    Description
>    Standard random number generators do not provide a sufficient amount of entropy when
used for security purposes.
>    Attackers can brute force the output of pseudorandom number generators such as rand().
>    Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day
to fix.
>    Recommendations
>    If this random number is used where security is a concern, such as generating a session
key or session identifier, use a trusted cryptographic random number generator instead. These
can be found on the Windows platform in the
>    CryptoAPI or in an open source library such as OpenSSL.
> 
> You can merge this pull request into a Git repository by running:
> 
>    $ git pull https://github.com/engagepoint/camel patch-ENT-Entropy
> 
> Alternatively you can review and apply these changes as the patch at:
> 
>    https://github.com/apache/camel/pull/80.patch
> 
> ----
> commit de7766f2451a7013b54c285f378bf7cbfef1d766
> Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
> Date:   2013-12-20T14:43:55Z
> 
>    VERACODE-659: fix of CWE ID 331 insufficient entropy in RandomLoadBalancer
> 
> commit a1920ad74c7f10ce3148482bd7d033b530a3e681
> Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
> Date:   2013-12-20T14:49:43Z
> 
>    VERACODE-660: fix of CWE ID 331 insufficient entropy in RedeliveryPolicy
> 
> commit a3ea9952d612a7214815d5ea3c2102fd7819eb6d
> Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
> Date:   2013-12-20T14:52:50Z
> 
>    VERACODE-663: fix of CWE ID 331 insufficient entropy in WeightedRandomLoadBalancer
> 
> commit fa7a52fe6ce05a26c3826161fc8c3e42eebb2861
> Author: leonid.marushevskiy <leonid.marushevskiy@engagepoint.com>
> Date:   2013-12-20T14:56:10Z
> 
>    VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil
> 
> ----
> 

-- 
Daniel Kulp
dkulp@apache.org - http://dankulp.com/blog
Talend Community Coder - http://coders.talend.com


Mime
View raw message