GNU Classpath Weak Pseudo-Random Number Generator (PRNG) Weakness

vendor:

Classpath

by:

SecurityFocus

3.3

CVSS

MEDIUM

Weak Pseudo-Random Number Generator (PRNG) Weakness

330

CWE

Product Name: Classpath

Affected Version From: Classpath 0.97.2

Affected Version To: Other versions may also be affected.

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: N/A

2008

GNU Classpath Weak Pseudo-Random Number Generator (PRNG) Weakness

GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy. Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.

Mitigation:

Upgrade to the latest version of GNU Classpath.

Source

Exploit-DB raw data:

source: https://www.securityfocus.com/bid/32909/info

GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.

Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.

Classpath 0.97.2 is vulnerable; other versions may also be affected. 

import gnu.java.security.util.PRNG;

class PRNGTest {
   public static void main(String args[])
      {
      long t = System.currentTimeMillis();

      System.out.println("Time in ms is " + t);

      PRNG prng = PRNG.getInstance();

      byte buffer[] = new byte[40];

      prng.nextBytes(buffer, 0, buffer.length);

      for(int i = 0; i != buffer.length; ++i)
         {
         // There must be an easier way to do this (right?)
         int intval = buffer[i];

         if(intval <= 0)
            intval += 256;

         String s = Integer.toHexString(intval);

         if(s.length() == 1)
            s = "0" + s;

         System.out.print(s);
         }
      System.out.println("");
      }
   };