...
Predictable random number sequences can weaken the security of critical applications such as cryptography.
Rule | Severity | Likelihood | Remediation Cost | Priority | Level |
---|---|---|---|---|---|
MSC02-J | High | Probable | Medium | P12 | L1 |
Automated Detection
Tool | Version | Checker | Description | ||||||
---|---|---|---|---|---|---|---|---|---|
CodeSonar |
| JAVA.HARDCODED.SEED | Hardcoded Random Seed (Java) | ||||||
Coverity | 7.5 | RISKY_CRYPTO | Implemented | ||||||
Parasoft Jtest |
|
CRT. |
MSC02.SRD |
Use 'java.security.SecureRandom' instead of 'java.util.Random' or 'Math.random()' | ||||||||
SonarQube |
| S2245 |
Related Vulnerabilities
CVE-2006-6969 describes a vulnerability that enables attackers to guess session identifiers, bypass authentication requirements, and conduct cross-site request forgery attacks.
Related Guidelines
MSC30-C. Do not use the rand() function for generating pseudorandom numbers | |
MSC50-CPP. Do not use std::rand() for generating pseudorandom numbers | |
CWE-327, Use of a Broken or Risky Cryptographic Algorithm CWE-330, Use of Insufficiently Random Values CWE-332, Insufficient Entropy in PRNG CWE-336, Same Seed in PRNG CWE-337, Predictable Seed in PRNG |
Bibliography
...
...