You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@bookkeeper.apache.org by GitBox <gi...@apache.org> on 2021/01/16 01:30:00 UTC
[GitHub] [bookkeeper] AthenaXiao opened a new issue #2539: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
AthenaXiao opened a new issue #2539:
URL: https://github.com/apache/bookkeeper/issues/2539
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
**Vulnerability Description**:
In file bookkeeper/bookkeeper-server/src/main/java/org/apache/bookkeeper/client/DynamicWeightedRandomSelectionImpl.java, use java.util.Random instead of java.security.SecureRandom at Line 57.
**Security Impact**:
Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
**Useful Resources**:
https://cwe.mitre.org/data/definitions/338.html
**Solution we suggest**:
Replace it with SecureRandom
**Please share with us your opinions/comments if there is any**:
Is the bug report helpful?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] AthenaXiao edited a comment on issue #2539: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
Posted by GitBox <gi...@apache.org>.
AthenaXiao edited a comment on issue #2539:
URL: https://github.com/apache/bookkeeper/issues/2539#issuecomment-766275236
Thank you so much for replying. We agree that the bug detector is unable to know the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art.
1. What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected?
2. Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to?
3. For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it?
4. What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] AthenaXiao commented on issue #2539: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
Posted by GitBox <gi...@apache.org>.
AthenaXiao commented on issue #2539:
URL: https://github.com/apache/bookkeeper/issues/2539#issuecomment-766275236
Thank you so much for replying. We agree that this reported case is unable to know the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art.
1. What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected?
2. Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to?
3. For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it?
4. What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful?
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli closed issue #2539: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
Posted by GitBox <gi...@apache.org>.
eolivelli closed issue #2539:
URL: https://github.com/apache/bookkeeper/issues/2539
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org
[GitHub] [bookkeeper] eolivelli commented on issue #2539: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
Posted by GitBox <gi...@apache.org>.
eolivelli commented on issue #2539:
URL: https://github.com/apache/bookkeeper/issues/2539#issuecomment-761521029
That class in not related to security mechanisms, so it is not worth to use a SecureRandom
Thanks
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
users@infra.apache.org