CVE-2008-5659
published 2008-12-17CVE-2008-5659: The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for…
PriorityP336high7.5CVSS 2.0
AVNACLAuNCPIPAP
EXPLOIT
EPSS
3.35%
87.2th percentile
The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.
Affected
25 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gnu | classpath | <= 0.97.2 | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
| gnu | classpath | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
gnu.java.security.util.PRNG produces easily predictable values
vendor_redhat·2008-12-08·CVSS 7.5
CVE-2008-5659 [HIGH] gnu.java.security.util.PRNG produces easily predictable values
gnu.java.security.util.PRNG produces easily predictable values
The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.
Statement: The risks associated with fixing this bug are greater than the low severity
security risk. We therefore currently have no plans to fix this flaw in
Red Hat Enterprise Linux 5.
Red Hat
acroread Multiple buffer overflows
vendor_redhat·2008-02-08·CVSS 7.8
CVE-2007-5659 [HIGH] acroread Multiple buffer overflows
acroread Multiple buffer overflows
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
GHSA
GHSA-h5cf-h82c-8jhv: The gnu
ghsa_unreviewed·2022-05-17
CVE-2008-5659 [HIGH] GHSA-h5cf-h82c-8jhv: The gnu
The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and earlier uses a predictable seed based on the system time, which makes it easier for context-dependent attackers to conduct brute force attacks against cryptographic routines that use this class for randomness, as demonstrated against DSA private keys.
No detection rules found.
Exploit-DB
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
exploitdb·2008-12-05
CVE-2008-5659 GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (1)
---
source: https://www.securityfocus.com/bid/32909/info
GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.
Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.
Classpath 0.97.2 is vulnerable; other versions may also be affected.
import gnu.java.security.util.PRNG;
class PRNGTest {
public static void main(String args[])
{
long t = System.currentTimeMillis();
System.out.println("Time in ms is " + t);
PRNG prng = PRNG.getInstance();
byte buffer[] = new byte[40];
prng.nextBytes(buffer, 0, buffer.length);
for(int i = 0; i != buffer.length; ++i)
{
// There must be an e
Exploit-DB
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
exploitdb·2008-12-05
CVE-2008-5659 GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
GNU Classpath 0.97.2 - 'gnu.java.security.util.PRNG' Class Entropy (2)
---
source: https://www.securityfocus.com/bid/32909/info
GNU Classpath is prone to a weakness that may result in weaker cryptographic security because its psuedo-random number generator (PRNG) lacks entropy.
Attackers may leverage this issue to obtain sensitive information that can lead to further attacks.
Classpath 0.97.2 is vulnerable; other versions may also be affected.
#include
#include
#include
using namespace Botan;
#include
#include
int main(int argc, char* argv[])
{
Botan::LibraryInitializer init;
// by default start with a guess of 1 minute ago
u64bit time_guess = (std::time(0) - 60);
time_guess *= 1000; // convert to ms
u32bit how_many = 60000; // 60 second range by default
if(argc >= 2)
how_many =
Bugzilla
CVE-2008-5659 gnu.java.security.util.PRNG produces easily predictable values
bugzilla·2008-12-19·CVSS 7.5
CVE-2008-5659 [HIGH] CVE-2008-5659 gnu.java.security.util.PRNG produces easily predictable values
CVE-2008-5659 gnu.java.security.util.PRNG produces easily predictable values
Common Vulnerabilities and Exposures assigned an identifier CVE-2008-5659 to the following vulnerability:
The gnu.java.security.util.PRNG class in GNU Classpath 0.97.2 and
earlier uses a predictable seed based on the system time, which makes
it easier for context-dependent attackers to conduct brute force
attacks against cryptographic routines that use this class for
randomness, as demonstrated against DSA private keys.
Upstream bug:
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
Reference:
http://www.openwall.com/lists/oss-security/2008/12/06/2
Discussion:
PRNG implementation in GNU Classpath is based on gnu-crypto implementation. Version of gnu-crypo as shipped in Red Hat Enterprise Linux 5 does not imp
Bugzilla
CVE-2007-5659 acroread Multiple buffer overflows
bugzilla·2008-02-13·CVSS 7.8
CVE-2007-5659 [HIGH] CVE-2007-5659 acroread Multiple buffer overflows
CVE-2007-5659 acroread Multiple buffer overflows
Common Vulnerabilities and Exposures assigned an identifier CVE-2007-5659 to the following vulnerability:
Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file with long arguments to unspecified JavaScript methods. NOTE: this issue might be subsumed by CVE-2008-0655.
References:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=657
http://www.adobe.com/support/security/advisories/apsa08-01.html
Discussion:
This issue was addressed in:
Red Hat Enterprise Linux Extras:
http://rhn.redhat.com/errata/RHSA-2008-0144.html
---
Reporter changed to [email protected] by request of Jay Turner.
http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417http://www.openwall.com/lists/oss-security/2008/12/06/2https://exchange.xforce.ibmcloud.com/vulnerabilities/47574http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417http://www.openwall.com/lists/oss-security/2008/12/06/2https://exchange.xforce.ibmcloud.com/vulnerabilities/47574
2008-12-17
Published