software composition analysis
Product
SAST
Catch vulnerabilities as you develop DAST
Test live web applications like an attacker SCA
Secure open-source and supply chain MAST
Secure mobile apps from code to store Compliance
Align with standards while shipping secure code
Resources
Vulnerability database Healthy Package
Blog News
Documentation
Pricing Partners About Us Log In
software composition analysis

Java : Weak seed of random number generator

Classification

OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-331 CWE-336 CWE-337 CWE-1032

Overview

The Random.setSeed() method is called with an integer argument from an untrusted source. The corresponding pseudo-random number generator generates a predictable sequence.

The work of many cryptographic algorithms is based on the use of cryptographically stable PRNG. Some algorithms take as an additional argument the seed value and for each value of this parameter generate a predictable sequence. In this case, the security of the system is based on the assumption that the seed values will be unpredictable.

Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.

References

  1. OWASP Top 10 2017-A3-Sensitive Data Exposure
  2. OWASP Top 10 2013-A6-Sensitive Data Exposure
  3. CWE-337
  4. CWE CATEGORY: OWASP Top Ten 2017 Category A6 - Security Misconfiguration
  5. CWE-331

See also

Java : XML decoder injection
Java : Empty encryption key in JWT-token signature
Java : Null dereference on some path