Modes d'introduction
Implementation : REALIZATION: This weakness is caused during implementation of an architectural security tactic.
Plateformes applicables
Langue
Class: Not Language-Specific (Undetermined)
Conséquences courantes
Portée |
Impact |
Probabilité |
Other | Varies by Context | |
Exemples observés
Références |
Description |
| product generates passwords via org.apache.commons.lang.RandomStringUtils, which uses java.util.Random internally. This PRNG has only a 48-bit seed. |
Mesures d’atténuation potentielles
Phases : Architecture and Design
Use well vetted pseudo-random number generating algorithms with adequate length seeds. Pseudo-random number generators can produce predictable numbers if the generator is known and the seed can be guessed. A 256-bit seed is a good starting point for producing a "random enough" number.
Phases : Architecture and Design // Requirements
Use products or modules that conform to FIPS 140-2 [REF-267] to avoid obvious entropy problems, or use the more recent FIPS 140-3 [REF-1192] if possible.
Notes de cartographie des vulnérabilités
Justification : This CWE entry is at the Variant level of abstraction, which is a preferred level of abstraction for mapping to the root causes of vulnerabilities.
Commentaire : Carefully read both the name and description to ensure that this mapping is an appropriate fit. Do not try to 'force' a mapping to a lower-level Base/Variant simply to comply with this preferred level of abstraction.
NotesNotes
This entry may have a chaining relationship with predictable from observable state (CWE-341).
As of CWE 4.5, terminology related to randomness, entropy, and
predictability can vary widely. Within the developer and other
communities, "randomness" is used heavily. However, within
cryptography, "entropy" is distinct, typically implied as a
measurement. There are no commonly-used definitions, even within
standards documents and cryptography papers. Future versions of
CWE will attempt to define these terms and, if necessary,
distinguish between them in ways that are appropriate for
different communities but do not reduce the usability of CWE for
mapping, understanding, or other scenarios.
Références
REF-267
SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology.
https://csrc.nist.gov/csrc/media/publications/fips/140/2/final/documents/fips1402.pdf REF-1192
FIPS PUB 140-3: SECURITY REQUIREMENTS FOR CRYPTOGRAPHIC MODULES
Information Technology Laboratory, National Institute of Standards and Technology.
https://csrc.nist.gov/publications/detail/fips/140/3/final
Soumission
Nom |
Organisation |
Date |
Date de publication |
Version |
PLOVER |
|
2006-07-19 +00:00 |
2006-07-19 +00:00 |
Draft 3 |
Modifications
Nom |
Organisation |
Date |
Commentaire |
Eric Dalci |
Cigital |
2008-07-01 +00:00 |
updated Time_of_Introduction |
CWE Content Team |
MITRE |
2008-09-08 +00:00 |
updated Maintenance_Notes, Relationships, Taxonomy_Mappings |
CWE Content Team |
MITRE |
2009-03-10 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2009-12-28 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2010-06-21 +00:00 |
updated Observed_Examples, Potential_Mitigations |
CWE Content Team |
MITRE |
2011-06-01 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2011-06-27 +00:00 |
updated Common_Consequences |
CWE Content Team |
MITRE |
2011-09-13 +00:00 |
updated Potential_Mitigations, References |
CWE Content Team |
MITRE |
2012-05-11 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2012-10-30 +00:00 |
updated Potential_Mitigations |
CWE Content Team |
MITRE |
2017-11-08 +00:00 |
updated Applicable_Platforms, Modes_of_Introduction, References, Relationships |
CWE Content Team |
MITRE |
2019-06-20 +00:00 |
updated Type |
CWE Content Team |
MITRE |
2020-02-24 +00:00 |
updated Relationships |
CWE Content Team |
MITRE |
2021-03-15 +00:00 |
updated Maintenance_Notes |
CWE Content Team |
MITRE |
2021-07-20 +00:00 |
updated Demonstrative_Examples, Description, Maintenance_Notes, Observed_Examples, Potential_Mitigations, References |
CWE Content Team |
MITRE |
2023-04-27 +00:00 |
updated References, Relationships, Time_of_Introduction |
CWE Content Team |
MITRE |
2023-06-29 +00:00 |
updated Mapping_Notes |
CWE Content Team |
MITRE |
2023-10-26 +00:00 |
updated Demonstrative_Examples |