[
https://issues.apache.org/jira/browse/KAFKA-7856?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16751662#comment-16751662
]
Colin P. McCabe commented on KAFKA-7856:
----------------------------------------
I don't see any cryptographic issue here. The random number generator is being
used for injecting some randomness into the retry delay. Even if an attacker
could predict exactly when retries would happen, there is no security
implication that I can see. If you're a bad guy, then just write your own
client that retries as quickly as possible.
> Cryptographic Issues by Insufficient Entropy
> --------------------------------------------
>
> Key: KAFKA-7856
> URL: https://issues.apache.org/jira/browse/KAFKA-7856
> Project: Kafka
> Issue Type: Bug
> Affects Versions: 2.1.0
> Reporter: Victor Sartori
> Priority: Major
> Labels: patch, pull-request-available, security
> Fix For: 2.1.1
>
>
> We pass the kakfa client in security analisys ans this scans reports:
> CWE-331 - Flaw medium,SANS TOP 25
> [https://cwe.mitre.org/data/definitions/331.html]
>
> A PR on github is present. (https://github.com/apache/kafka/pull/6184)
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
