[
https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487026#comment-14487026
]
Willem Jiang commented on CAMEL-8606:
-------------------------------------
Hi Kishore,
The classes which you showed do not use the Random.nextInt is not used to
generate the random number for the session key or session identifier. I don't
think we need to switch it to use the SecureRandom.
Regards,
Willem
> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
> Key: CAMEL-8606
> URL: https://issues.apache.org/jira/browse/CAMEL-8606
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of
> entropy when used for security purposes. Attackers can brute force the output
> of pseudorandom number generators such as rand().
> Remediation: If this random number is used where security is a concern, such
> as generating a session key or session identifier, use a trusted
> cryptographic random number generator instead. These can be found on the
> Windows platform in the CryptoAPI or in an open source library such as
> OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
