Uploaded image for project: 'Cassandra'
  1. Cassandra
  2. CASSANDRA-16389

Using a cryptographically weak Pseudo Random Number Generator (PRNG)

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Low
    • Resolution: Not A Problem
    • Fix Version/s: None
    • Component/s: Cluster/Gossip
    • Labels:
      None
    • Change Category:
      Semantic
    • Complexity:
      Low Hanging Fruit
    • Platform:
      All
    • Impacts:
      None

      Description

      We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.

      Vulnerability Description

      In file cassandra/src/java/org/apache/cassandra/gms/Gossiper.java, use java.util.Random instead of java.security.SecureRandom at Line 123.

      Security Impact:

      Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.

      Useful Resources:

      https://cwe.mitre.org/data/definitions/338.html

      Solution we suggest

      Replace it with SecureRandom

      Please share with us your opinions/comments if there is any

      Is the bug report helpful?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              yaxiao Ya Xiao
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: