1205180 – (Unsafe-api-Random) AUDIT-FIND: SUMA: Unsafe usage of java.util.Random API

Bug 1205180 (Unsafe-api-Random) - AUDIT-FIND: SUMA: Unsafe usage of java.util.Random API

Summary: AUDIT-FIND: SUMA: Unsafe usage of java.util.Random API

Status:	RESOLVED FIXED

Alias:	Unsafe-api-Random

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Artem Shiliaev
QA Contact:	Security Team bot

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:	1201713
	Show dependency tree / graph

Clone This Bug

Reported:	2022-11-08 12:12 UTC by Paolo Perego
Modified:	2024-01-12 17:07 UTC (History)
CC List:	4 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Paolo Perego 2022-11-08 12:12:08 UTC

In the following classes, java.util.Random class is used. This is not a vulnerability per se, however java.security.SecureRandom is considered a robust and cryptographically secure pseudo number generator and it should be used instead of java.util.Random for sensitive applications:

* CryptHelper.java
* StringUtil.java
* SystemCheckinUtils.java

Please note that java.util.Random is used in test classes, however in that case the usage can be considered safe.

Comment 1 Paolo Perego 2023-09-06 10:42:16 UTC

Created an issue on Github private repo: https://github.com/SUSE/spacewalk/issues/22469

Comment 2 Paolo Perego 2023-11-20 09:26:50 UTC

@Artem can you take a look at this PR?

Comment 3 Artem Shiliaev 2024-01-12 14:48:20 UTC

Hey Paolo,

I've left a comment on GitHub, the issue seems to be already addressed in the upstream.

Comment 4 Paolo Perego 2024-01-12 17:07:08 UTC

Very nice.

I will close the issue then.
Thank you so much