[CASSANDRA-16389] Using a cryptographically weak Pseudo Random Number Generator (PRNG) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Low
Resolution: Not A Problem
Fix Version/s: None
Component/s: Cluster/Gossip
Labels:
None

Change Category:
Semantic
Complexity:
Low Hanging Fruit
Platform:

All
Impacts:

None

Description

We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.

Vulnerability Description

In file cassandra/src/java/org/apache/cassandra/gms/Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123.

Security Impact:

Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.

Useful Resources:

https://cwe.mitre.org/data/definitions/338.html

Solution we suggest

Replace it with SecureRandom

Please share with us your opinions/comments if there is any

Is the bug report helpful?

Attachments

Activity

People

Assignee:: Unassigned

Reporter:: Ya Xiao

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 16/Jan/21 01:09

Updated:: 24/Jan/21 02:06

Resolved:: 19/Jan/21 17:05