[
https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487413#comment-14487413
]
Antoine DESSAIGNE commented on CAMEL-8606:
------------------------------------------
Hi Willem,
I totally agree with you there's absolutely no security risk with the usage of
these _non-secure_ random.
That being said, there are a *lot* of static code analyzers. For me updating
the code will:
* prevent this kind of false-positive issues from being created again and again
* reduce the noises from these analysis reports and potentially detect real
issues that are not drowned in false-positive.
Regards,
Antoine
> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
> Key: CAMEL-8606
> URL: https://issues.apache.org/jira/browse/CAMEL-8606
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of
> entropy when used for security purposes. Attackers can brute force the output
> of pseudorandom number generators such as rand().
> Remediation: If this random number is used where security is a concern, such
> as generating a session key or session identifier, use a trusted
> cryptographic random number generator instead. These can be found on the
> Windows platform in the CryptoAPI or in an open source library such as
> OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
