camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Willem Jiang (JIRA)" <j...@apache.org>
Subject [jira] [Resolved] (CAMEL-7095) Veracode compliance. Insufficient Entropy (CWE ID 331)
Date Fri, 27 Dec 2013 03:33:50 GMT

     [ https://issues.apache.org/jira/browse/CAMEL-7095?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Willem Jiang resolved CAMEL-7095.
---------------------------------

    Resolution: Won't Fix

> Veracode compliance. Insufficient Entropy (CWE ID 331)
> ------------------------------------------------------
>
>                 Key: CAMEL-7095
>                 URL: https://issues.apache.org/jira/browse/CAMEL-7095
>             Project: Camel
>          Issue Type: Wish
>    Affects Versions: 2.11.2, 2.12.2, 2.13.0
>            Reporter: Leonid Marushevskiy
>            Assignee: Willem Jiang
>            Priority: Minor
>
> https://github.com/apache/camel/pull/80
> During Veracode scan of our application we discover several warnings in Camel. Please
review our fix and apply it if it make sense.
> Quote from Veracode report below:
> Insufficient Entropy (CWE ID 331)(7 flaws)
> Description
> Standard random number generators do not provide a sufficient amount of entropy when
used for security purposes.
> Attackers can brute force the output of pseudorandom number generators such as rand().
> Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1 day to
fix.
> Recommendations
> If this random number is used where security is a concern, such as generating a session
key or session identifier, use a trusted cryptographic random number generator instead. These
can be found on the Windows platform in the
> CryptoAPI or in an open source library such as OpenSSL.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Mime
View raw message