Frank Ch. Eigler created LANG-1607:
--------------------------------------
Summary: To aid with CVE-2019-16303, consider upgrading
RandomStringUtils default RNG
Key: LANG-1607
URL: https://issues.apache.org/jira/browse/LANG-1607
Project: Commons Lang
Issue Type: Bug
Reporter: Frank Ch. Eigler
In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303] , the
org.apache.commons.lang3.RandomStringUtils randomAlphanumeric() function is
used to generate random strings. Because of weaknesses of the default RNG,
this allows baddies to predict other randomAlphnumeric() results, which in this
large family of client programs, results in severe vulnerabilities.
While the class is not documented to be "cryptographically safe", it would be
prudent to upgrade the default RNG used in these classes to be crypto-usable
level, such as with the java.security.SecureRandom nextBytes().
See e.g. this github PR, which is being replicated THOUSANDS of times, in order
to work around this problem in countless users of this library.
[https://github.com/elderdb/neptune/pull/1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
