Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack

#VU31081 Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack

Published: 2019-05-07 | Updated: 2020-07-17

Vulnerability identifier: #VU31081

Vulnerability risk: Low

CVSSv3.1: 3.2 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2019-11808

CWE-ID: CWE-338

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Ratpack
Universal components / Libraries / Libraries used by multiple products

Vendor: Ratpack

Description

The vulnerability allows a remote non-authenticated attacker to gain access to sensitive information.

Ratpack versions before 1.6.1 generate a session ID using a cryptographically weak PRNG in the JDK's ThreadLocalRandom. This means that if an attacker can determine a small window for the server start time and obtain a session ID value, they can theoretically determine the sequence of session IDs.

Mitigation
Install update from vendor's website.

Vulnerable software versions

Ratpack: 1.6.0

External links
http://github.com/ratpack/ratpack/commit/f2b63eb82dd71194319fd3945f5edf29b8f3a42d
http://github.com/ratpack/ratpack/issues/1448
http://github.com/ratpack/ratpack/releases/tag/v1.6.1

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG) in Ratpack Ratpack