A vulnerability classified as critical was found in gnu Classpath. Affected by this vulnerability is an unknown part of the file gnu.java.security.util.PRNG of the component Crypto. The manipulation with an unknown input leads to a cryptographic issues vulnerability. The CWE definition for the vulnerability is CWE-310. As an impact it is known to affect confidentiality, integrity, and availability. The summary by CVE is:

The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.

The weakness was shared 12/17/2008 (Website). It is possible to read the advisory at openwall.com. This vulnerability is known as CVE-2008-5659 since 12/17/2008. The exploitation appears to be easy. The attack can be launched remotely. The exploitation doesn't need any form of authentication. Technical details and also a public exploit are known. The attack technique deployed by this issue is T1600 according to MITRE ATT&CK.

A public exploit has been developed in Java. It is possible to download the exploit at securityfocus.com. It is declared as proof-of-concept.

There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.

The vulnerability is also documented in the vulnerability database at X-Force (47574).

Productinfo

Vendor

• gnu

Name

• Classpath

Version

• 0.6
• 0.7
• 0.8
• 0.9
• 0.10
• 0.11
• 0.12
• 0.13
• 0.14
• 0.15
• 0.16
• 0.17
• 0.18
• 0.19
• 0.20
• 0.90
• 0.91
• 0.92
• 0.93
• 0.95
• 0.96
• 0.96.1
• 0.97
• 0.97.1
• 0.97.2

License

• open-source

CPE 2.3info

• 🔍
• 🔍
• 🔍

CPE 2.2info

• 🔍
• 🔍
• 🔍

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion