Affects Version/s: None
Fix Version/s: None
Component/s: Runtime / State Backends
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
In file flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java, use java.util.Random instead of java.security.SecureRandom at Line 39.
Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
Solution we suggest:
Replace it with SecureRandom
Please share with us your opinions/comments if there is any:
Is the bug report helpful?