Summary: | Using a cryptographically weak Pseudo Random Number Generator (PRNG) | ||
---|---|---|---|
Product: | Ant | Reporter: | Ya Xiao <yax99> |
Component: | AntUnit | Assignee: | Ant Notifications List <notifications> |
Status: | RESOLVED INVALID | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | --- | ||
Hardware: | PC | ||
OS: | All |
Description
Ya Xiao
2021-01-16 04:01:25 UTC
> **Vulnerability Description**: > In file ant/src/main/org/apache/tools/ant/util/FileUtils.java, use java.util.Random instead of java.security.SecureRandom at Line 80. > **Security Impact**: > Java.util.Random is not cryptographically strong and may expose sensitive information to certain types of attacks when used in a security context. Line 79 of that FileUtils class has a comment which states: > //get some non-crypto-grade randomness from various places. So this Random instance isn't being used in any cryptographic context (I checked the code not just the comment to be sure). Thank you so much for replying. We agree that the detector is unable to understand the context. There might be a gap between the tools and the demands in practices. We want to collect some information to narrow down the gap. We'll so appreciate it if you can share some opinions about the following questions. Your feedback is important for us to help improve the state-of-the-art. 1. What kind of supports do you think are necessary for a bug detector to be useful in practices? Take this as an example, maybe a more accurate context or demonstration of exploits is expected? 2. Are there any types of bugs/security vulnerabilities you want the detection tools to pay more attention to? 3. For a verified bug/vulnerability, what kind of supports/features do you expect to help fix it? 4. What kind of bug checker/vulnerability detection tools you are using? Do you think they are helpful? |