You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@nifi.apache.org by "Ya Xiao (Jira)" <ji...@apache.org> on 2021/01/16 06:06:00 UTC
[jira] [Created] (NIFI-8147) Using a cryptographically weak Pseudo
Random Number Generator (PRNG)
Ya Xiao created NIFI-8147:
-----------------------------
Summary: Using a cryptographically weak Pseudo Random Number Generator (PRNG)
Key: NIFI-8147
URL: https://issues.apache.org/jira/browse/NIFI-8147
Project: Apache NiFi
Issue Type: Improvement
Reporter: Ya Xiao
We are a security research team at Virginia Tech. We are doing an empirical study about the usefulness of the existing security vulnerability detection tools. The following is a reported vulnerability by certain tools. We'll so appreciate it if you can give any feedback on it.
*Vulnerability Description:*
In file [nifi/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GenerateFlowFile.java|https://github.com/apache/nifi/blob/main/nifi-nar-bundles/nifi-standard-bundle/nifi-standard-processors/src/main/java/org/apache/nifi/processors/standard/GenerateFlowFile.java], use java.util.Random instead of java.security.SecureRandom at Line 202.
*Security Impact:*
Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/338.html]
*Solution we suggest:*
Replace it with SecureRandom
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)