[
https://issues.apache.org/jira/browse/FINERACT-1415?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17432912#comment-17432912
]
Awasum Yannick commented on FINERACT-1415:
------------------------------------------
[~victorromero], This looks like it was merged and then reverted? I dont know
if we need to close this or leave it open... let us know...
> Make sure that using this pseudorandom number generator is safe
> ---------------------------------------------------------------
>
> Key: FINERACT-1415
> URL: https://issues.apache.org/jira/browse/FINERACT-1415
> Project: Apache Fineract
> Issue Type: Improvement
> Affects Versions: 1.0.0, 1.1.0, 1.2.0, 1.3.0, 1.4.0, 1.5.0
> Reporter: Victor Romero
> Assignee: Victor Romero
> Priority: Major
> Labels: tech-debt
> Fix For: 1.6.0
>
>
> [https://sonarcloud.io/project/security_hotspots?id=apache_fineract#]
>
> Using pseudorandom number generators (PRNGs) is security-sensitive. For
> example, it has led in the past to the following vulnerabilities:
> * [CVE-2013-6386|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6386]
> * [CVE-2006-3419|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3419]
> * [CVE-2008-4102|http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4102]
> When software generates predictable values in a context requiring
> unpredictability, it may be possible for an attacker to guess the next value
> that will be generated, and use this guess to impersonate another user or
> access sensitive information.
> As the {{java.util.Random}} class relies on a pseudorandom number generator,
> this class and relating {{java.lang.Math.random()}} method should not be used
> for security-critical applications or for protecting sensitive data. In such
> context, the {{java.security.SecureRandom}} class which relies on a
> cryptographically strong random number generator (RNG) should be used in
> place.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
