[
https://issues.apache.org/jira/browse/HDFS-15825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ying Zhang updated HDFS-15825:
------------------------------
Description:
We are a security research team at Virginia Tech. We are doing an empirical
study about the usefulness of the existing security vulnerability detection
tools. The following is a reported vulnerability by certain tools. We'll so
appreciate it if you can give any feedback on it.
*Vulnerability Description*
In file src/java/org/apache/hadoop/hdfs/server/namenode/NNStorage.java, use
java.util.Random instead of java.security.SecureRandom at Line 617.
*Security Impact:*
Java.util.Random is not cryptographically strong and may expose sensitive
information to certain types of attacks when used in a security context.
*Useful Resources*:
[https://cwe.mitre.org/data/definitions/338.html]
*Solution we suggest*
Replace it with SecureRandom
*Please share with us your opinions/comments if there is any*
Is the bug report helpful?
was:
In file
client/src/main/java/org/apache/abdera/protocol/client/util/SimpleSSLProtocolSocketFactory.java
line 46, SSL protocol is used as a security protocol in statement *context =
SSLContext.getInstance("SSL");*
*Impact:*
An SSL DDoS attack targets the SSL handshake protocol either by sending
worthless data to the SSL server which will result in connection issues for
legitimate users or by abusing the SSL handshake protocol itself.
*Suggestions:*
Upgrade the implementation to the “TLS”, and configure https.protocols JVM
option to include TLSv1.2:
*Useful links:*
[https://blogs.oracle.com/java-platform-group/diagnosing-tls,-ssl,-and-https]
[https://www.appmarq.com/public/tqi,1039002,CWE-319-Avoid-using-Deprecated-SSL-protocols-to-secure-connection]
*Please share with us your opinions/comments if there is any:*
Is the bug report helpful?
Summary: Using a cryptographically weak Pseudo Random Number Generator
(PRNG) (was: Update to enable TLS >=1.2 as default secure protocols )
> Using a cryptographically weak Pseudo Random Number Generator (PRNG)
> --------------------------------------------------------------------
>
> Key: HDFS-15825
> URL: https://issues.apache.org/jira/browse/HDFS-15825
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Ying Zhang
> Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical
> study about the usefulness of the existing security vulnerability detection
> tools. The following is a reported vulnerability by certain tools. We'll so
> appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file src/java/org/apache/hadoop/hdfs/server/namenode/NNStorage.java, use
> java.util.Random instead of java.security.SecureRandom at Line 617.
> *Security Impact:*
> Java.util.Random is not cryptographically strong and may expose sensitive
> information to certain types of attacks when used in a security context.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html]
> *Solution we suggest*
> Replace it with SecureRandom
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
