[
https://issues.apache.org/jira/browse/KUDU-1843?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15832681#comment-15832681
]
Todd Lipcon commented on KUDU-1843:
-----------------------------------
the fix seems to be to use the following:
{code}
boost::uuids::basic_random_generator<boost::random_device> oid_generator_;
{code}
but that requires the boost libraries (not header-only). We're talking about
building boost libraries in another context, so putting this on hold until
they're available.
> Client UUIDs should be cryptographically random
> -----------------------------------------------
>
> Key: KUDU-1843
> URL: https://issues.apache.org/jira/browse/KUDU-1843
> Project: Kudu
> Issue Type: Improvement
> Components: security
> Affects Versions: 1.3.0
> Reporter: Todd Lipcon
> Priority: Critical
>
> Currently we use boost::uuid's default random generator, which is not
> cryptographically random. This may increase the ease with which an attacker
> could guess another client's client ID, which would potentially allow them to
> perform DoS or try to steal the results of RPCs from the result cache.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
