You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@flink.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/16 04:18:00 UTC

[jira] [Created] (FLINK-20996) Using a cryptographically weak Pseudo Random Number Generator (PRNG)

Ya Xiao created FLINK-20996:
-------------------------------

             Summary: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
                 Key: FLINK-20996
                 URL: https://issues.apache.org/jira/browse/FLINK-20996
             Project: Flink
          Issue Type: Improvement
            Reporter: Ya Xiao


We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.

*Vulnerability Description:*

{color:#172b4d}In file flink/flink-end-to-end-tests/flink-stream-state-ttl-test/src/main/java/org/apache/flink/streaming/tests/verify/AbstractTtlStateVerifier.java{color}, use java.util.Random instead of java.security.SecureRandom at Line 39.

*Security Impact:*

Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.

*Useful Resources*:

[https://cwe.mitre.org/data/definitions/338.html]

*Solution we suggest:*

Replace it with SecureRandom

*Please share with us your opinions/comments if there is any:*

Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)