[
https://issues.apache.org/jira/browse/LANG-1607?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17199612#comment-17199612
]
Frank Ch. Eigler commented on LANG-1607:
----------------------------------------
I see, an earlier search for the CVE name came up completely empty. Maybe it
was a search system problem.
Is my impression correct that the code maintainers a refusing to change the
default RNG, and have decided to handle this as a documentation issue only? If
so, I guess we can close this with the Jira equivalent of "WONTFIX", too bad.
> To aid with CVE-2019-16303, consider upgrading RandomStringUtils default RNG
> ----------------------------------------------------------------------------
>
> Key: LANG-1607
> URL: https://issues.apache.org/jira/browse/LANG-1607
> Project: Commons Lang
> Issue Type: Bug
> Reporter: Frank Ch. Eigler
> Priority: Major
>
> In [https://nvd.nist.gov/vuln/detail/CVE-2019-16303] , the
> org.apache.commons.lang3.RandomStringUtils randomAlphanumeric() function is
> used to generate random strings. Because of weaknesses of the default RNG,
> this allows baddies to predict other randomAlphnumeric() results, which in
> this large family of client programs, results in severe vulnerabilities.
> While the class is not documented to be "cryptographically safe", it would be
> prudent to upgrade the default RNG used in these classes to be crypto-usable
> level, such as with the java.security.SecureRandom nextBytes().
> See e.g. this github PR, which is being replicated THOUSANDS of times, in
> order to work around this problem in countless users of this library.
> [https://github.com/elderdb/neptune/pull/1]
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
