Bug 1097345 (CVE-2014-0878) - CVE-2014-0878 IBM JDK: Vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers
Summary: CVE-2014-0878 IBM JDK: Vulnerability in the IBMSecureRandom implementation of...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2014-0878
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20140512,repor...
Depends On:
Blocks: 1082776
TreeView+ depends on / blocked
 
Reported: 2014-05-13 15:18 UTC by Vasyl Kaigorodov
Modified: 2019-06-08 20:02 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-05-30 08:40:18 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2014:0982 normal SHIPPED_LIVE Low: Red Hat Network Satellite server IBM Java Runtime security update 2014-07-29 19:40:11 UTC

Description Vasyl Kaigorodov 2014-05-13 15:18:47 UTC
It looks to be specific to the IBM JDK only (OpenJDK/Oracle Java are not affected).
A vulnerability in the IBMSecureRandom implementation of the IBMJCE and IBMSecureRandom cryptographic providers was reported. [1]
This flaw potentially allows an attacker to predict the output of the random number generator under certain circumstances.

[1]: http://www.auscert.org.au/render.html?it=19629

Comment 2 Stefan Cornelius 2014-05-30 08:34:31 UTC
IBM mentions the following workaround:
"For CVE-2014-0878, use the IBMSecureRandom implementation from the IBMJCEFIPS cryptographic provider. Or, if using the IBMJCE cryptographic provider, use the SHA1PRNG or the DRBG family of secure random number generators. Or, if using the IBMSecureRandom cryptographic provider, use the SHA1PRNG secure random number generator."

References:

http://www-01.ibm.com/support/docview.wss?uid=swg21672043

Comment 4 Tomas Hoger 2014-07-28 07:56:50 UTC
Red Hat Enterprise Linux Supplementary updates to fixed IBM Java SE 5.0, 6, and 7 versions were released before this CVE was made public.  The list of relevant errata can be found on the CVE page:

https://access.redhat.com/security/cve/CVE-2014-0878

Comment 5 errata-xmlrpc 2014-07-29 15:43:24 UTC
This issue has been addressed in following products:

  Red Hat Network Satellite Server v 5.4
  Red Hat Network Satellite Server v 5.5
  Red Hat Satellite Server v 5.6

Via RHSA-2014:0982 https://rhn.redhat.com/errata/RHSA-2014-0982.html


Note You need to log in before you can comment on or make changes to this bug.