Return-Path: X-Original-To: apmail-camel-dev-archive@www.apache.org Delivered-To: apmail-camel-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 3E00910357 for ; Fri, 27 Dec 2013 13:40:41 +0000 (UTC) Received: (qmail 11120 invoked by uid 500); 27 Dec 2013 13:40:36 -0000 Delivered-To: apmail-camel-dev-archive@camel.apache.org Received: (qmail 11103 invoked by uid 500); 27 Dec 2013 13:40:34 -0000 Mailing-List: contact dev-help@camel.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@camel.apache.org Delivered-To: mailing list dev@camel.apache.org Received: (qmail 11095 invoked by uid 99); 27 Dec 2013 13:40:32 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Dec 2013 13:40:32 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy includes SPF record at spf.trusted-forwarder.org) Received: from [64.85.173.253] (HELO server.dankulp.com) (64.85.173.253) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 27 Dec 2013 13:40:26 +0000 Received: by server.dankulp.com (Postfix, from userid 5000) id 24E8F186071; Fri, 27 Dec 2013 08:40:05 -0500 (EST) X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on server.dankulp.com X-Spam-Level: X-Msg-File: /tmp/mailfilter-dev@camel.apache.org.FEy42TlvDz Received: from [192.168.1.104] (c-50-176-22-10.hsd1.ma.comcast.net [50.176.22.10]) (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by server.dankulp.com (Postfix) with ESMTPSA id 31B8C18606D for ; Fri, 27 Dec 2013 08:40:03 -0500 (EST) Content-Type: text/plain; charset=windows-1252 Mime-Version: 1.0 (Mac OS X Mail 7.1 \(1827\)) Subject: Re: camel pull request: VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID... From: Daniel Kulp In-Reply-To: <20131226124707.BAC3B51484@tyr.zones.apache.org> Date: Fri, 27 Dec 2013 08:40:01 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <782883E1-1D2E-4794-A673-ADD79DA56B4E@apache.org> References: <20131226124707.BAC3B51484@tyr.zones.apache.org> To: dev@camel.apache.org X-Mailer: Apple Mail (2.1827) X-Virus-Checked: Checked by ClamAV on apache.org X-Old-Spam-Status: No, score=-3.0 required=3.0 tests=ALL_TRUSTED,AWL,BAYES_00, URIBL_BLOCKED shortcircuit=no autolearn=ham version=3.3.2 I=92m really against committing this. =20 It involves flipping from Random to SecureRandom for a bunch of places = that do not require or need the security aspects of SecrureRandom. = Randomly selecting the next server for load balancing and the redelivery = stuff certainly does NOT require the full secure randomness. =20 However, using SecureRandom in theses cases would then start consuming = system entropy that could then be needed for cases where it IS required, = like cryptography. Without that entropy available, it could severely = slow down or hang some of the cryptography cases. The veracode notice explicitely says: > If this random number is used where security is a concern, such as = generating a session key or session identifier which is NOT the case here. Thus, this is not a concern. Dan On Dec 26, 2013, at 7:47 AM, MrLion wrote: > GitHub user MrLion opened a pull request: >=20 > https://github.com/apache/camel/pull/80 >=20 > VERACODE-659,660,663, 664: Insufficient Entropy (CWE ID 331) >=20 > During Veracode scan of our application we discover several = warnings in Camel. Please review our fix and apply it if it make sance. >=20 > Quote from Veracode report below: > Insufficient Entropy (CWE ID 331)(7 flaws) > Description > Standard random number generators do not provide a sufficient = amount of entropy when used for security purposes. > Attackers can brute force the output of pseudorandom number = generators such as rand(). > Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines = of code. 1 day to fix. > Recommendations > If this random number is used where security is a concern, such as = generating a session key or session identifier, use a trusted = cryptographic random number generator instead. These can be found on the = Windows platform in the > CryptoAPI or in an open source library such as OpenSSL. >=20 > You can merge this pull request into a Git repository by running: >=20 > $ git pull https://github.com/engagepoint/camel patch-ENT-Entropy >=20 > Alternatively you can review and apply these changes as the patch at: >=20 > https://github.com/apache/camel/pull/80.patch >=20 > ---- > commit de7766f2451a7013b54c285f378bf7cbfef1d766 > Author: leonid.marushevskiy > Date: 2013-12-20T14:43:55Z >=20 > VERACODE-659: fix of CWE ID 331 insufficient entropy in = RandomLoadBalancer >=20 > commit a1920ad74c7f10ce3148482bd7d033b530a3e681 > Author: leonid.marushevskiy > Date: 2013-12-20T14:49:43Z >=20 > VERACODE-660: fix of CWE ID 331 insufficient entropy in = RedeliveryPolicy >=20 > commit a3ea9952d612a7214815d5ea3c2102fd7819eb6d > Author: leonid.marushevskiy > Date: 2013-12-20T14:52:50Z >=20 > VERACODE-663: fix of CWE ID 331 insufficient entropy in = WeightedRandomLoadBalancer >=20 > commit fa7a52fe6ce05a26c3826161fc8c3e42eebb2861 > Author: leonid.marushevskiy > Date: 2013-12-20T14:56:10Z >=20 > VERACODE-654: fix of CWE ID 331 insufficient entropy in FileUtil >=20 > ---- >=20 --=20 Daniel Kulp dkulp@apache.org - http://dankulp.com/blog Talend Community Coder - http://coders.talend.com