RandomStringUtils.random() drains the systems entropy pool and blocks

Since we upgraded to Version 3.15 of commons-lang we have experienced performance problems and timeout issues during deployments. Our analysis suggests that this is due to issues introduced with this change, namely the use of SecureRandom.getInstanceStrong() in src/main/java/org/apache/commons/lang3/RandomUtils.java. SecureRandom.getInstanceStrong() uses /dev/random instead of /dev/urandom on linux systems. which leads to terrible performance when little entropy is available on the system.

Here is what seems to happen in our case

• Our deployments use Liquibase for database schema migrations
• Liquibase uses RandomStringUtils to generate internal identifiers, and it generates quite a few of them. (This might be a strange decision on their side as well, but probably not the issue here)
• Each call to RandomStringUtils.random() takes a few bytes out of the systems entropy pool. This can be traced by calling cat /proc/sys/kernel/random/entropy_avail on the linux shell.
• The systems entropy pool gets drained quickly and when it is empty, calls to RandomStringUtils.random() will block until new entropy becomes available. Since we are running on a virtual machine, new bytes are added very slowly to the systems entropy pool (about 3-4 bytes per second)
• Ultimately, our deployments fail with a timeout because Liquibase was unable to finish in time

I am not a security expert, but the general consensus on the internet seems to be that using /dev/urandom instead of /dev/random should be equally secure for almost all use cases.

Maybe the call to SecureRandom.getInstaceStrong() in RandomUtils could be replaced with new SecureRandom(). Calls to RandomStringUtils.random(...) should then be no longer blocking (probably).