[
https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487321#comment-14487321
]
kishore kumar commented on CAMEL-8606:
--------------------------------------
But java itselt suggested to use java.security.SecureRandom class to generate
random values. Is there any plan to use SecureRandom class in camel source code
in further releases?
> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
> Key: CAMEL-8606
> URL: https://issues.apache.org/jira/browse/CAMEL-8606
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of
> entropy when used for security purposes. Attackers can brute force the output
> of pseudorandom number generators such as rand().
> Remediation: If this random number is used where security is a concern, such
> as generating a session key or session identifier, use a trusted
> cryptographic random number generator instead. These can be found on the
> Windows platform in the CryptoAPI or in an open source library such as
> OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
