You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@fineract.apache.org by "Victor Romero (Jira)" <ji...@apache.org> on 2021/10/20 05:57:00 UTC
[jira] [Created] (FINERACT-1415) Make sure that using this
pseudorandom number generator is safe
Victor Romero created FINERACT-1415:
---------------------------------------
Summary: Make sure that using this pseudorandom number generator is safe
Key: FINERACT-1415
URL: https://issues.apache.org/jira/browse/FINERACT-1415
Project: Apache Fineract
Issue Type: Improvement
Reporter: Victor Romero
[https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
* [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
* [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
* [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.
As the {{java.util.Random}} class relies on a pseudorandom number generator, this class and relating {{java.lang.Math.random()}} method should not be used for security-critical applications or for protecting sensitive data. In such context, the {{java.security.SecureRandom}} class which relies on a cryptographically strong random number generator (RNG) should be used in place.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)