Uploaded image for project: 'Flink'
  1. Flink
  2. FLINK-20996

Using a cryptographically weak Pseudo Random Number Generator (PRNG)

    XMLWordPrintableJSON

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: None
    • Fix Version/s: None
    • Labels:
      None

      Description

      We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.

      Vulnerability Description:

      In file flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java, use java.util.Random instead of java.security.SecureRandom at Line 39.

      Security Impact:

      Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.

      Useful Resources:

      https://cwe.mitre.org/data/definitions/338.html

      Solution we suggest:

      Replace it with SecureRandom

      Please share with us your opinions/comments if there is any:

      Is the bug report helpful?

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              yaxiao Ya Xiao
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: