Victor Romero created FINERACT-1415:
---------------------------------------
Summary: Make sure that using this pseudorandom number generator
is safe
Key: FINERACT-1415
URL: https://issues.apache.org/jira/browse/FINERACT-1415
Project: Apache Fineract
Issue Type: Improvement
Reporter: Victor Romero
[https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
Using pseudorandom number generators (PRNGs) is security-sensitive. For
example, it has led in the past to the following vulnerabilities:
* [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
* [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
* [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
When software generates predictable values in a context requiring
unpredictability, it may be possible for an attacker to guess the next value
that will be generated, and use this guess to impersonate another user or
access sensitive information.
As the {{java.util.Random}} class relies on a pseudorandom number generator,
this class and relating {{java.lang.Math.random()}} method should not be used
for security-critical applications or for protecting sensitive data. In such
context, the {{java.security.SecureRandom}} class which relies on a
cryptographically strong random number generator (RNG) should be used in place.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
