Leonid Marushevskiy created CAMEL-7095:
------------------------------------------
Summary: Veracode compliance. Insufficient Entropy (CWE ID 331)
Key: CAMEL-7095
URL: https://issues.apache.org/jira/browse/CAMEL-7095
Project: Camel
Issue Type: Wish
Affects Versions: 2.12.2, 2.11.2, 2.13.0
Reporter: Leonid Marushevskiy
Priority: Minor
https://github.com/apache/camel/pull/80
During Veracode scan of our application we discover several warnings in Camel.
Please review our fix and apply it if it make sense.
Quote from Veracode report below:
Insufficient Entropy (CWE ID 331)(7 flaws)
Description
Standard random number generators do not provide a sufficient amount of entropy
when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such as
rand().
Effort to Fix: 2 - Implementation error. Fix is approx. 6-50 lines of code. 1
day to fix.
Recommendations
If this random number is used where security is a concern, such as generating a
session key or session identifier, use a trusted cryptographic random number
generator instead. These can be found on the Windows platform in the
CryptoAPI or in an open source library such as OpenSSL.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
