You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@openjpa.apache.org by David Camilo Espitia Manrrique <da...@payulatam.com> on 2014/12/23 20:33:26 UTC

Report Security Vulnerabilities - Insufficient Entropy - Openjpa-2.0.1.jar

Good Morning,

We are currently using "Openjpa-2.0.1" and in the veracode analysis found
this bug in these class :

1. NullSafeConcurrentHashMap.java (Line 240)
2. DistributionPolicy.java (Line 63)
3. ConcurrentReferenceHashMap.java (Line 60)
4. ConcurrentHashMap.java (Line 81)


*Type*:  Insufficient Entropy

*Description:*

Standard random number generators do not provide a sufficient amount of
entropy when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such
as rand().

*Recommendations:*

If this random number is used where security is a concern, such as
generating a session key or session identifier, use
a trusted cryptographic random number generator instead. These can be found
on the Windows platform in the
CryptoAPI or in an open source library such as OpenSSL.



Thanks.

*David Camilo Espitia*
Software Engineer I

[image: Logo_Oficial_PayU_Latam_Fondo_Blanco] <http://www.payulatam.com/>

Skype:

(+57) 1 756 3126 Ext.554

Calle 93 B # 17-25 OF 301

Bogotá - Colombia

*Pay**U** Latam*

*www.payulatam.com* <http://www.payulatam.com/>