commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Frank Ch. Eigler (Jira)" <j...@apache.org>
Subject [jira] [Commented] (LANG-1607) To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
Date Mon, 21 Sep 2020 19:17:00 GMT

    [ https://issues.apache.org/jira/browse/LANG-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17199612#comment-17199612
] 

Frank Ch. Eigler commented on LANG-1607:
----------------------------------------

I see, an earlier search for the CVE name came up completely empty.  Maybe it was a search
system problem.

Is my impression correct that the code maintainers a refusing to change the default RNG, and
have decided to handle this as a documentation issue only?  If so, I guess we can close this
with the Jira equivalent of "WONTFIX", too bad.

> To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
> ----------------------------------------------------------------------------
>
>                 Key: LANG-1607
>                 URL: https://issues.apache.org/jira/browse/LANG-1607
>             Project: Commons Lang
>          Issue Type: Bug
>            Reporter: Frank Ch. Eigler
>            Priority: Major
>
> In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303]  , the org.apache.commons.lang3.RandomStringUtils randomAlphanumeric()
function is used to generate random strings.  Because of weaknesses of the default RNG, this
allows baddies to predict other randomAlphnumeric() results, which in this large family of
client programs, results in severe vulnerabilities.
> While the class is not documented to be "cryptographically safe", it would be prudent
to upgrade the default RNG used in these classes to be crypto-usable level, such as with the
java.security.SecureRandom nextBytes().
> See e.g. this github PR, which is being replicated THOUSANDS of times, in order to work
around this problem in countless users of this library.  [https://github.com/elderdb/neptune/pull/1] 



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Mime
View raw message