Java : Weak seed of random number generator
Classification
OWASP Top 10 2013 A6-Sensitive Data Exposure OWASP Top 10 2017 A3-Sensitive Data Exposure OWASP Top 10 2021 A2-Cryptographic Failures A4-Insecure Design OWASP MASVS V8: 8.13.(L1+R/L2+R) OWASP ASVS Stored Cryptography PCI DSS 4.0 3.6.1 6.2.4 8.3.2 HIPAA §164.312 (a)(2)(iv) CWE CWE-331 CWE-336 CWE-337 CWE-1032Overview
The Random.setSeed()
method is called with an integer argument from an untrusted source. The corresponding pseudo-random number generator generates a predictable sequence.
The work of many cryptographic algorithms is based on the use of cryptographically stable PRNG. Some algorithms take as an additional argument the seed
value and for each value of this parameter generate a predictable sequence. In this case, the security of the system is based on the assumption that the seed
values will be unpredictable.
Sensitive Data Exposure vulnerabilities take the third place in the “OWASP Top 10 2017” web-application vulnerabilities ranking.