[
https://issues.apache.org/jira/browse/CAMEL-8606?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14487431#comment-14487431
]
Daniel Kulp commented on CAMEL-8606:
------------------------------------
Using SecureRandom in areas that don't need the the security it provides causes
the system entropy to be drained and then not available in the cases where real
secure random numbers are required. That can cause performance problems
across the system.
This should be closed as not a problem.
> Attack Vector: java.util.Random.nextInt
> ---------------------------------------
>
> Key: CAMEL-8606
> URL: https://issues.apache.org/jira/browse/CAMEL-8606
> Project: Camel
> Issue Type: Improvement
> Components: camel-core
> Reporter: kishore kumar
>
> Standard random number generators do not provide a sufficient amount of
> entropy when used for security purposes. Attackers can brute force the output
> of pseudorandom number generators such as rand().
> Remediation: If this random number is used where security is a concern, such
> as generating a session key or session identifier, use a trusted
> cryptographic random number generator instead. These can be found on the
> Windows platform in the CryptoAPI or in an open source library such as
> OpenSSL. In Java, use the SecureRandom object to ensure sufficient entropy.
> Few classes used java.util.Random.
> WeightedRandomLoadBalancer.java: 56
> RedeliveryPolicy.java: 221
> FileUtil.java: 330
> RandomLoadBalancer.java: 44
> FileUtil.java: 334
> OptimisticLockRetryPolicy.java: 63
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
