Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Predictable random number sequences can weaken the security of critical applications such as cryptography.

Rule

Severity

Likelihood

Remediation Cost

Priority

Level

MSC02-J

High

Probable

Medium

P12

L1

Automated Detection

Tool
Version
Checker
Description
CodeSonar
Include Page
CodeSonar_V
CodeSonar_V

JAVA.HARDCODED.SEED
JAVA.LIB.RAND.FUNC
JAVA.CRYPTO.RCF
JAVA.CRYPTO.RA
JAVA.CRYPTO.RF
JAVA.CRYPTO.BASE64
JAVA.CRYPTO.WHAF
AVA.LIB.RAND.LEGACY.GEN

Hardcoded Random Seed (Java)
Insecure Random Number Generator (Java)
Risky Cipher Field (Java)
Risky Cryptographic Algorithm (Java)
Risky Cryptographic Field (Java)
Unsafe Base64 Encoding (Java)
Weak Hash Algorithm Field (Java)
Legacy Random Generator (Java)

Coverity7.5RISKY_CRYPTOImplemented
Parasoft Jtest
9.5SECURITY.WSC.SRDImplementedSonarQube Java Plugin
Include Page
Parasoft_V
Parasoft_V
CRT.MSC02.SRDUse 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()'
SonarQube
Include Page
SonarQube
Java Plugin
_V
SonarQube
Java Plugin
_V
S2245
Implemented

Related Vulnerabilities

CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.

Related Guidelines

SEI CERT C Coding Standard

MSC30-C. Do not use the rand() function for generating pseudorandom numbers

SEI CERT C++ Coding Standard

MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers

MITRE CWE

CWE-327, Use of a Broken or Risky Cryptographic Algorithm

CWE-330, Use of Insufficiently Random Values

CWE-332, Insufficient Entropy in PRNG

CWE-336, Same Seed in PRNG

CWE-337, Predictable Seed in PRNG

Bibliography

...


...



...

Image Modified Image Modified Image Modified