SB2019050722 - Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack Ratpack
Published: May 7, 2019 Updated: July 17, 2020
Security Bulletin ID
SB2019050722
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) (CVE-ID: CVE-2019-11808)
The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.
Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.
Remediation
Install update from vendor's website.