CVE-2008-5659

The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.

CVSS v2.0 7.5 HIGH

7.5^/10

CVSS v2.0 : HIGH

Vector : AV:N/AC:L/Au:N/C:P/I:P/A:P

Exploitability : 10.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
http://www.openwall.com/lists/oss-security/2008/12/06/2
https://exchange.xforce.ibmcloud.com/vulnerabilities/47574

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:gnu:classpath::::::::
	cpe:2.3:a:gnu:classpath:0.6:::::::*
	cpe:2.3:a:gnu:classpath:0.7:::::::*
	cpe:2.3:a:gnu:classpath:0.8:::::::*
	cpe:2.3:a:gnu:classpath:0.9:::::::*
	cpe:2.3:a:gnu:classpath:0.10:::::::*
	cpe:2.3:a:gnu:classpath:0.11:::::::*
	cpe:2.3:a:gnu:classpath:0.12:::::::*
	cpe:2.3:a:gnu:classpath:0.13:::::::*
	cpe:2.3:a:gnu:classpath:0.14:::::::*
	cpe:2.3:a:gnu:classpath:0.15:::::::*
	cpe:2.3:a:gnu:classpath:0.16:::::::*
	cpe:2.3:a:gnu:classpath:0.17:::::::*
	cpe:2.3:a:gnu:classpath:0.18:::::::*
	cpe:2.3:a:gnu:classpath:0.19:::::::*
	cpe:2.3:a:gnu:classpath:0.20:::::::*
	cpe:2.3:a:gnu:classpath:0.90:::::::*
	cpe:2.3:a:gnu:classpath:0.91:::::::*
	cpe:2.3:a:gnu:classpath:0.92:::::::*
	cpe:2.3:a:gnu:classpath:0.93:::::::*
	cpe:2.3:a:gnu:classpath:0.95:::::::*
	cpe:2.3:a:gnu:classpath:0.96:::::::*
	cpe:2.3:a:gnu:classpath:0.96.1:::::::*
	cpe:2.3:a:gnu:classpath:0.97:::::::*
	cpe:2.3:a:gnu:classpath:0.97.1:::::::*

History

No history.

Information

Published : 2008-12-17 20:30

Updated : 2023-12-10 10:51

NVD link : CVE-2008-5659

Mitre link : CVE-2008-5659

CVE.ORG link : CVE-2008-5659

JSON object : View

Products Affected

gnu

classpath

CWE

CWE-310

Cryptographic Issues

{"id": "CVE-2008-5659", "metrics": {"cvssMetricV2": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"version": "2.0", "baseScore": 7.5, "accessVector": "NETWORK", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "authentication": "NONE", "integrityImpact": "PARTIAL", "accessComplexity": "LOW", "availabilityImpact": "PARTIAL", "confidentialityImpact": "PARTIAL"}, "acInsufInfo": false, "impactScore": 6.4, "baseSeverity": "HIGH", "obtainAllPrivilege": false, "exploitabilityScore": 10.0, "obtainUserPrivilege": false, "obtainOtherPrivilege": true, "userInteractionRequired": false}]}, "published": "2008-12-17T20:30:01.030", "references": [{"url": "http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417", "source": "cve@mitre.org"}, {"url": "http://www.openwall.com/lists/oss-security/2008/12/06/2", "source": "cve@mitre.org"}, {"url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/47574", "source": "cve@mitre.org"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-310"}]}], "descriptions": [{"lang": "en", "value": "The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys."}, {"lang": "es", "value": "La clase gnu.java.security.util.PRNG en GNU Classpath 0.97.2 y versiones anteriores usa una semilla predecible basada en la hora del sistema, la cual hace m\u00e1s f\u00e1cil para atacantes dependientes de contexto, guiar un ataque de fuerza bruta contra rutinas criptogr\u00e1ficas que usa esta clase para la aletoriedad, como se demuestra contra claves privadas DSA."}], "lastModified": "2017-08-08T01:33:27.280", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:gnu:classpath:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "1A0CF267-C19F-4B32-A4E4-D515D3D7725B", "versionEndIncluding": "0.97.2"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.6:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73D8EFC5-F994-475D-9072-A0EB5EE93223"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.7:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "ACEF6059-1270-45A8-A5F3-BC806ACA3DA6"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.8:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "22290A7B-CD78-48EF-A180-3C470DE74587"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.9:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D8F79579-AFB2-4DDA-A37C-CF0540770C35"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.10:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34F6C9C7-0CEE-4BBB-9E77-B8727342C7EC"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.11:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "C621A667-FA3A-4460-9409-827FB707D86F"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.12:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "FBAC1BF2-C7AE-4BB4-86FA-CFC0F8125F49"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.13:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "E17B6783-C80E-4600-B449-4ACA3F2D1AD6"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.14:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "CDF9A1B0-80CF-4690-9142-F8CC1672DBDF"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.15:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0F9C041D-9CCB-4B70-8C34-553DA84F9298"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.16:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "83CB8D0F-DA54-4126-81F2-CA7818129DAA"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.17:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "EBA61C96-281A-455D-B065-704825B76A70"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.18:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D4556AEA-F27E-4E5B-91F2-685A1DC925D0"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.19:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "73FFB9ED-4541-4211-A7AF-89EB4BF2A59B"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.20:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "89BBB5A7-5859-4DF0-9A36-6C8450BD222B"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.90:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "075463D4-5243-48C6-83AC-15861484719B"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.91:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "0561E70B-32A7-437C-803C-3A86A1C16D7C"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.92:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "526F80F6-F252-4706-B8AE-206DF74C5D09"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.93:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B933028-5D62-4120-A30F-4F88246915D3"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.95:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "34024488-0741-429A-BCC6-0A7C1C7E7C8E"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.96:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "2E223B28-1380-4D91-A3C2-B6093C6E4F8A"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.96.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "178581EE-168B-42DC-9A13-E181BFDE4AB9"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.97:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "037C8E1E-EA1A-435A-B463-60B725B51F5D"}, {"criteria": "cpe:2.3:a:gnu:classpath:0.97.1:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "282BE66F-A823-4A48-B028-014C8BFE9C20"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}