You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@fineract.apache.org by "Victor Romero (Jira)" <ji...@apache.org> on 2021/10/20 05:57:00 UTC

[jira] [Created] (FINERACT-1415) Make sure that using this pseudorandom number generator is safe

Victor Romero created FINERACT-1415:
---------------------------------------

             Summary: Make sure that using this pseudorandom number generator is safe
                 Key: FINERACT-1415
                 URL: https://issues.apache.org/jira/browse/FINERACT-1415
             Project: Apache Fineract
          Issue Type: Improvement
            Reporter: Victor Romero


[https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]

 

Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:
 * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
 * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
 * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]

When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

As the {{java.util.Random}} class relies on a pseudorandom number generator, this class and relating {{java.lang.Math.random()}} method should not be used for security-critical applications or for protecting sensitive data. In such context, the {{java.security.SecureRandom}} class which relies on a cryptographically strong random number generator (RNG) should be used in place.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)