https://bz.apache.org/bugzilla/show_bug.cgi?id=65083
Bug ID: 65083
Summary: Using a cryptographically weak Pseudo Random Number
Generator (PRNG)
Product: Ant
Version: unspecified
Hardware: PC
OS: All
Status: NEW
Severity: normal
Priority: P2
Component: AntUnit
Assignee: notifications@ant.apache.org
Reporter: ya...@vt.edu
Target Milestone: ---
We are a security research team at Virginia Tech. We are doing an empirical
study about the usefulness of the existing security vulnerability detection
tools. The following is a reported vulnerability by certain tools. We'll so
appreciate it if you can give any feedback on it.
**Vulnerability Description**:
In file ant/src/main/org/apache/tools/ant/util/FileUtils.java, use
java.util.Random instead of java.security.SecureRandom at Line 80.
**Security Impact**:
Java.util.Random is not cryptographically strong and may expose sensitive
information to certain types of attacks when used in a security context.
Useful Resources:
https://cwe.mitre.org/data/definitions/338.html
**Solution we suggest**:
Replace it with SecureRandom
**Please share with us your opinions/comments if there is any**:
Is the bug report helpful?
--
You are receiving this mail because:
You are the assignee for the bug.
