[
https://issues.apache.org/jira/browse/MATH-1182?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Phil Steitz closed MATH-1182.
-----------------------------
Resolution: Invalid
None of the methods referenced are intended for cryptographic / secure token
generating use. Other PRNGs are available in the library and in most cases,
user-supplied PRNGs may also be used.
> BUG - Insufficient Entropy in Commons-math3-3.3
> -----------------------------------------------
>
> Key: MATH-1182
> URL: https://issues.apache.org/jira/browse/MATH-1182
> Project: Commons Math
> Issue Type: Bug
> Affects Versions: 3.3
> Reporter: David Camilo Espitia Manrique
> Original Estimate: 120h
> Remaining Estimate: 120h
>
> We are currently using Commons-math3-3.3 and in the analysis for veracode,
> found this bug in these class:
> 1. FastMath.java (Line 813)
> 2. SynchronizedRandomGenerator.java (Line 78 and Line 85)
> 3. UniformIntegerDistribution.java (Line 164 and Line 172)
> 4. RandomAdaptor.java (Line 143 and 159)
> Type : Insufficient Entropy
> Description:
> Standard random number generators do not provide a sufficient amount of
> entropy when used for security purposes.
> Attackers can brute force the output of pseudorandom number generators such
> as rand().
> Recommendations:
> If this random number is used where security is a concern, such as generating
> a session key or session identifier, use
> a trusted cryptographic random number generator instead. These can be found
> on the Windows platform in the
> CryptoAPI or in an open source library such as OpenSSL.
> Thanks.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
