jasypt: java simplified encryption / Bugs / #23 Vulnerability report

#23 Vulnerability report - Insufficient Entropy

Milestone: v1.9.x

Status: closed-fixed

Owner: Daniel Fernandez

Labels: jasypt (16)

Priority: 5

Updated: 2013-08-21

Created: 2013-04-26

Creator: david

Private: No

Hi,

We are using jasypt 1.5 and a Veracode analysis found a vulnerability in org.jasypt.salt.RandomSaltGenerator.java line 93.

This is the report:

Insufficient Entropy (CWE ID 331)

Description
Standard random number generators do not provide a sufficient amount of entropy when used for security purposes.
Attackers can brute force the output of pseudorandom number generators such as rand().

Recommendations
If this random number is used where security is a concern, such as generating a session key or session identifier, use
a trusted cryptographic random number generator instead. These can be found on the Windows platform in the
CryptoAPI or in an open source library such as OpenSSL.

I will love to hear your opinion.
Thx in advanced!

Discussion

Anonymous - 2013-04-29

This is also in CommonUtils.java:274 in version 1.9
Its a very simple task to use a secure random generator, would be nice to have this fixed.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Fernandez - 2013-08-21

Fixed in SVN trunk. Will be a included in 1.9.1

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Daniel Fernandez - 2013-08-21

status: open --> closed-fixed

Group: v1.5 --> v1.9.x
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Vulnerability report - Insufficient Entropy

Group

Searches

Help

#23 Vulnerability report - Insufficient Entropy

Discussion