You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Awasum Yannick (Jira)" <ji...@apache.org> on 2021/10/20 19:59:00 UTC

[jira] [Updated] (FINERACT-1415) Make sure that using this pseudorandom number generator is safe

     [ https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Awasum Yannick updated FINERACT-1415:
-------------------------------------
    Affects Version/s: 1.0.0
                       1.1.0
                       1.2.0
                       1.3.0
                       1.4.0
                       1.5.0

> Make sure that using this pseudorandom number generator is safe
> ---------------------------------------------------------------
>
>                 Key: FINERACT-1415
>                 URL: https://issues.apache.org/jira/browse/FINERACT-1415
>             Project: Apache Fineract
>          Issue Type: Improvement
>    Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0
>            Reporter: Victor Romero
>            Assignee: Victor Romero
>            Priority: Major
>
> [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
>  
> Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
>  * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
>  * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
>  * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
> When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
> As the {{java.util.Random}} class relies on a pseudorandom number generator, this class and relating {{java.lang.Math.random()}} method should not be used for security-critical applications or for protecting sensitive data. In such context, the {{java.security.SecureRandom}} class which relies on a cryptographically strong random number generator (RNG) should be used in place.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)