Details
-
Improvement
-
Status: Closed
-
Not a Priority
-
Resolution: Later
-
None
-
None
Description
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
Vulnerability Description:
In file flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java, use java.util.Random instead of java.security.SecureRandom at Line 39.
Security Impact:
Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
Useful Resources:
https://cwe.mitre.org/data/definitions/338.html
Solution we suggest:
Replace it with SecureRandom
Please share with us your opinions/comments if there is any:
Is the bug report helpful?