commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Ch. Eigler (Jira)" <j...@apache.org>
Subject [jira] [Created] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
Date Fri, 18 Sep 2020 19:33:00 GMT
Frank Ch. Eigler created LANG-1607:
--------------------------------------

             Summary: To aid with CVE-2019-16303, consider upgrading RandomStringUtils default
RNG
                 Key: LANG-1607
                 URL: https://issues.apache.org/jira/browse/LANG-1607
             Project: Commons Lang
          Issue Type: Bug
            Reporter: Frank Ch. Eigler


In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303]  , the org.apache.commons.lang3.RandomStringUtils randomAlphanumeric()
function is used to generate random strings.  Because of weaknesses of the default RNG, this
allows baddies to predict other randomAlphnumeric() results, which in this large family of
client programs, results in severe vulnerabilities.

While the class is not documented to be "cryptographically safe", it would be prudent to upgrade
the default RNG used in these classes to be crypto-usable level, such as with the java.security.SecureRandom
nextBytes().

See e.g. this github PR, which is being replicated THOUSANDS of times, in order to work around
this problem in countless users of this library.  [https://github.com/elderdb/neptune/pull/1] 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message