You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@nifi.apache.org by "Joe Witt (Jira)" <ji...@apache.org> on 2021/01/17 01:47:00 UTC

[jira] [Commented] (NIFI-8147) Using a cryptographically weak Pseudo Random Number Generator (PRNG)

    [ https://issues.apache.org/jira/browse/NIFI-8147?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17266691#comment-17266691 ] 

Joe Witt commented on NIFI-8147:
--------------------------------

The report suggests there is a security relevance to this.  If that was the case our security reporting process should be followed for reportting.
However, this is not something needing to be addressed.  This feature is to make random garbage data that has no implied true randomness and no relationship to a security function.  Ill close the issue as working as expected.

> Using a cryptographically weak Pseudo Random Number Generator (PRNG)
> --------------------------------------------------------------------
>
>                 Key: NIFI-8147
>                 URL: https://issues.apache.org/jira/browse/NIFI-8147
>             Project: Apache NiFi
>          Issue Type: Improvement
>            Reporter: Ya Xiao
>            Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
> *Vulnerability Description:*
> In file [nifi/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GenerateFlowFile.java|https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GenerateFlowFile.java], use java.util.Random instead of java.security.SecureRandom at Line 202.
> *Security Impact:*
> Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html]
> *Solution we suggest:*
> Replace it with SecureRandom
> *Please share with us your opinions/comments if there is any:*
> Is the bug report helpful?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)