camel-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Antoine DESSAIGNE (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CAMEL-8606) Attack Vector: java.util.Random.nextInt
Date Thu, 09 Apr 2015 14:23:12 GMT

    [ https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487413#comment-14487413
] 

Antoine DESSAIGNE commented on CAMEL-8606:
------------------------------------------

Hi Willem,

I totally agree with you there's absolutely no security risk with the usage of these _non-secure_
random.

That being said, there are a *lot* of static code analyzers. For me updating the code will:
* prevent this kind of false-positive issues from being created again and again
* reduce the noises from these analysis reports and potentially detect real issues that are
not drowned in false-positive.

Regards,

Antoine

> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
>                 Key: CAMEL-8606
>                 URL: https://issues.apache.org/jira/browse/CAMEL-8606
>             Project: Camel
>          Issue Type: Improvement
>          Components: camel-core
>            Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of entropy when
used for security purposes. Attackers can brute force the output of pseudorandom number generators
such as rand().
> Remediation: If this random number is used where security is a concern, such as generating
a session key or session identifier, use a trusted cryptographic random number generator instead.
These can be found on the Windows platform in the CryptoAPI or in an open source library such
as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message