[
https://issues.apache.org/jira/browse/HDFS-15825?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17281142#comment-17281142
]
Kihwal Lee commented on HDFS-15825:
-----------------------------------
[~Vicky Zhang], if you want to scan the code base, please do not include
obsolete branches. Please focus on trunk, branch-3.3 and branch-3.2.
NNStorage currently uses {{ThreadLocalRandom}}. This is not for security, thus
CWE-338 does not apply.
> Using a cryptographically weak Pseudo Random Number Generator (PRNG)
> --------------------------------------------------------------------
>
> Key: HDFS-15825
> URL: https://issues.apache.org/jira/browse/HDFS-15825
> Project: Hadoop HDFS
> Issue Type: Improvement
> Reporter: Vicky Zhang
> Priority: Major
>
> We are a security research team at Virginia Tech. We are doing an empirical
> study about the usefulness of the existing security vulnerability detection
> tools. The following is a reported vulnerability by certain tools. We'll so
> appreciate it if you can give any feedback on it.
> *Vulnerability Description*
> In file src/java/org/apache/hadoop/hdfs/server/namenode/NNStorage.java, use
> java.util.Random instead of java.security.SecureRandom at Line 617.
> *Security Impact:*
> Java.util.Random is not cryptographically strong and may expose sensitive
> information to certain types of attacks when used in a security context.
> *Useful Resources*:
> [https://cwe.mitre.org/data/definitions/338.html]
> *Solution we suggest*
> Replace it with SecureRandom
> *Please share with us your opinions/comments if there is any*
> Is the bug report helpful?
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
---------------------------------------------------------------------
To unsubscribe, e-mail: hdfs-issues-unsubscr...@hadoop.apache.org
For additional commands, e-mail: hdfs-issues-h...@hadoop.apache.org
