[Bug 65083] Using a cryptographically weak Pseudo Random Number Generator (PRNG)

bugzilla Fri, 15 Jan 2021 20:08:25 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=65083


Jaikiran Pai <jaiki...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED

--- Comment #1 from Jaikiran Pai <jaiki...@apache.org> ---
> **Vulnerability Description**:

> In file ant/src/main/org/apache/tools/ant/util/FileUtils.java, use 
> java.util.Random instead of java.security.SecureRandom at Line 80.

> **Security Impact**:

> Java.util.Random is not cryptographically strong and may expose sensitive 
> information to certain types of attacks when used in a security context.

Line 79 of that FileUtils class has a comment which states:

> //get some non-crypto-grade randomness from various places.

So this Random instance isn't being used in any cryptographic context (I
checked the code not just the comment to be sure).

-- 
You are receiving this mail because:
You are the assignee for the bug.

[Bug 65083] Using a cryptographically weak Pseudo Random Number Generator (PRNG)

Reply via email to