-
Notifications
You must be signed in to change notification settings - Fork 13.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
KAFKA-7856: Fix vulnerability CWE-331 #6184
Conversation
fix vulnerability pointed by CWE. Cryptographic Issues by Insufficient Entropy (CWE-331 - Flaw medium,SANS TOP 25) This change should be promoted to new versions.
|
I don't see how this is a vulnerability. The random number generator is only being used to adjust the jitter which is added to the credential refresh period. An attacker doesn't gain anything by guessing this sequence of numbers, as best as I can tell. |
|
hi @cmccabe |
|
Static analysis tools are not perfect and they often warn about things which are not real problems. In this particular case, I don't see why the random numbers used for random delays need to be cryptographically secure. Can you explain how this is a vulnerability? |
|
Hi @cmccabe Another alternative is use the method setSeed from Random class. What do you think about this approach? |
I'm not sure I follow. What's the cryptographic issue here?
The JavaDoc for
Why would we need to initialize the seed on our own here? |
Because the number generated by Random has a low entropy and when we add setSeed the number is less predictable. Use SecureRandom has low performance? This will impact in kafka? |
Re-seeding it with the time will not help.
You haven't explained why we need more entropy here. |
|
There seems to be no security issue here. |
fix vulnerability pointed by CWE.
Cryptographic Issues by Insufficient Entropy (CWE-331 - Flaw medium,SANS
TOP 25)
This change should be promoted to new versions.