You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@openjpa.apache.org by David Camilo Espitia Manrrique <da...@payulatam.com> on 2014/12/23 20:33:26 UTC
Report Security Vulnerabilities - Insufficient Entropy - Openjpa-2.0.1.jar
Good Morning,
We are currently using "Openjpa-2.0.1" and in the veracode analysis found
this bug in these class :
1. NullSafeConcurrentHashMap.java (Line 240)
2. DistributionPolicy.java (Line 63)
3. ConcurrentReferenceHashMap.java (Line 60)
4. ConcurrentHashMap.java (Line 81)
*Type*: Insufficient Entropy
*Description:*
Standard random number generators do not provide a sufficient amount of
entropy when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such
as rand().
*Recommendations:*
If this random number is used where security is a concern, such as
generating a session key or session identifier, use
a trusted cryptographic random number generator instead. These can be found
on the Windows platform in the
CryptoAPI or in an open source library such as OpenSSL.
Thanks.
*David Camilo Espitia*
Software Engineer I
[image: Logo_Oficial_PayU_Latam_Fondo_Blanco] <http://www.payulatam.com/>
Skype:
(+57) 1 756 3126 Ext.554
Calle 93 B # 17-25 OF 301
Bogotá - Colombia
*Pay**U** Latam*
*www.payulatam.com* <http://www.payulatam.com/>