Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CVE-2018-1426

High

9.1/10

Summary

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: NONE

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.

References

Advisory Timeline

Published Mar 22, 2018

Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

CVE-2018-1426

Summary

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS