[FINERACT-1415] Make sure that using this pseudorandom number generator is safe - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0
Fix Version/s: 1.6.0
Component/s: Security
Labels:
- tech-debt

Description

https://sonarcloud.io/project/security_hotspots?id=apache_fineract#

Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

As the java.util.Random class relies on a pseudorandom number generator, this class and relating java.lang.Math.random() method should not be used for security-critical applications or for protecting sensitive data. In such context, the java.security.SecureRandom class which relies on a cryptographically strong random number generator (RNG) should be used in place.

Attachments

Issue Links

links to

GitHub Pull Request #1908

GitHub Pull Request #1919

GitHub Pull Request #1925

Activity

People

Assignee:: Victor Romero

Reporter:: Victor Romero

Votes:: 1 Vote for this issue

Watchers:: 6 Start watching this issue

Dates

Created:: 20/Oct/21 05:56

Updated:: 26/Oct/21 11:15

Resolved:: 26/Oct/21 11:13