Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-16389

Using a cryptographically weak Pseudo Random Number Generator (PRNG)

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Low
    • Resolution: Not A Problem
    • None
    • Cluster/Gossip
    • None
    • Semantic
    • Low Hanging Fruit
    • All
    • None

    Description

      We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.

      Vulnerability Description

      In file cassandra/src/java/org/apache/cassandra/gms/Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123.

      Security Impact:

      Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.

      Useful Resources:

      https://cwe.mitre.org/data/definitions/338.html

      Solution we suggest

      Replace it with SecureRandom

      Please share with us your opinions/comments if there is any

      Is the bug report helpful?

      Attachments

        Activity

          People

            Unassigned Unassigned
            yaxiao Ya Xiao
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: