commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "David Camilo Espitia Manrique (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (MATH-1182) BUG - Insufficient Entropy in Commons-math3-3.3
Date Tue, 23 Dec 2014 22:02:13 GMT

     [ https://issues.apache.org/jira/browse/MATH-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

David Camilo Espitia Manrique updated MATH-1182:
------------------------------------------------
    Description: 
We are currently using Commons-math3-3.3 and in the analysis for veracode, found this bug
in these class:

1. FastMath.java (Line 813)
2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
3. UniformIntegerDistribution.java (Line 164 and Line 172)
4. RandomAdaptor.java (Line 143  and 159)

Type : Insufficient Entropy

Description:

Standard random number generators do not provide a sufficient amount of entropy when used
for security purposes.
Attackers can brute force the output of pseudorandom number generators such as rand().

Recommendations:

If this random number is used where security is a concern, such as generating a session key
or session identifier, use
a trusted cryptographic random number generator instead. These can be found on the Windows
platform in the
CryptoAPI or in an open source library such as OpenSSL.


Thanks.

  was:
We are currently using Commons-math3-3.3 and in the analysis for veracode, found this bug
in these class:

1. FastMath.java (Line 813)
2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
3. UniformIntegerDistribution.java (Line 164 and Line 172)

Type : Insufficient Entropy

Description:

Standard random number generators do not provide a sufficient amount of entropy when used
for security purposes.
Attackers can brute force the output of pseudorandom number generators such as rand().

Recommendations:

If this random number is used where security is a concern, such as generating a session key
or session identifier, use
a trusted cryptographic random number generator instead. These can be found on the Windows
platform in the
CryptoAPI or in an open source library such as OpenSSL.


Thanks.


> BUG - Insufficient Entropy in Commons-math3-3.3
> -----------------------------------------------
>
>                 Key: MATH-1182
>                 URL: https://issues.apache.org/jira/browse/MATH-1182
>             Project: Commons Math
>          Issue Type: Bug
>    Affects Versions: 3.3
>            Reporter: David Camilo Espitia Manrique
>             Fix For: 3.3
>
>   Original Estimate: 120h
>  Remaining Estimate: 120h
>
> We are currently using Commons-math3-3.3 and in the analysis for veracode, found this
bug in these class:
> 1. FastMath.java (Line 813)
> 2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
> 3. UniformIntegerDistribution.java (Line 164 and Line 172)
> 4. RandomAdaptor.java (Line 143  and 159)
> Type : Insufficient Entropy
> Description:
> Standard random number generators do not provide a sufficient amount of entropy when
used for security purposes.
> Attackers can brute force the output of pseudorandom number generators such as rand().
> Recommendations:
> If this random number is used where security is a concern, such as generating a session
key or session identifier, use
> a trusted cryptographic random number generator instead. These can be found on the Windows
platform in the
> CryptoAPI or in an open source library such as OpenSSL.
> Thanks.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message