You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@camel.apache.org by "Willem Jiang (JIRA)" <ji...@apache.org> on 2015/04/09 11:15:12 UTC
[jira] [Commented] (CAMEL-8606) Attack Vector:
java.util.Random.nextInt
[ https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487026#comment-14487026 ]
Willem Jiang commented on CAMEL-8606:
-------------------------------------
Hi Kishore,
The classes which you showed do not use the Random.nextInt is not used to generate the random number for the session key or session identifier. I don't think we need to switch it to use the SecureRandom.
Regards,
Willem
> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
> Key: CAMEL-8606
> URL: https://issues.apache.org/jira/browse/CAMEL-8606
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of entropy when used for security purposes. Attackers can brute force the output of pseudorandom number generators such as rand().
> Remediation: If this random number is used where security is a concern, such as generating a session key or session identifier, use a trusted cryptographic random number generator instead. These can be found on the Windows platform in the CryptoAPI or in an open source library such as OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)