You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cassandra.apache.org by "Alex Petrov (Jira)" <ji...@apache.org> on 2021/01/18 09:16:00 UTC
[jira] [Commented] (CASSANDRA-16389) Using a cryptographically weak
Pseudo Random Number Generator (PRNG)
[ https://issues.apache.org/jira/browse/CASSANDRA-16389?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17267110#comment-17267110 ]
Alex Petrov commented on CASSANDRA-16389:
-----------------------------------------
I'm not sure if there are any security risks involved with using non-secure random for gossip.
> Using a cryptographically weak Pseudo Random Number Generator (PRNG)
> --------------------------------------------------------------------
>
> Key: CASSANDRA-16389
> URL: https://issues.apache.org/jira/browse/CASSANDRA-16389
> Project: Cassandra
> Issue Type: Improvement
> Components: Cluster/Gossip
> Reporter: Ya Xiao
> Priority: Low
>
> We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file [cassandra/src/java/org/apache/cassandra/gms/Gossiper.java|https://github.com/apache/cassandra/blob/79e693e16e2152097c5b27d2d7aaa1763e34f594/src/java/org/apache/cassandra/gms/Gossiper.java], use java.util.Random instead of java.security.SecureRandom at Line 123.
> *Security Impact:*
> Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html]
> *Solution we suggest*
> Replace it with SecureRandom
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cassandra.apache.org
For additional commands, e-mail: commits-help@cassandra.apache.org