Vulnerabilities > CVE-2018-1426 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in IBM DB2

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

ibm

CWE-335

critical

NVD

Published: 2018-03-22

Updated: 2020-08-24

Summary

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM DB2 9.7 IBM DB2 10.1 IBM DB2 10.5 IBM DB2 11.1	4
OS	Linux Linux Linux Kernel *	1
OS	Microsoft Microsoft Windows -	1

Common Weakness Enumeration (CWE)

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

References

https://exchange.xforce.ibmcloud.com/vulnerabilities/139071
http://www.ibm.com/support/docview.wss?uid=swg22013756
http://www.securitytracker.com/id/1041012
http://www.securityfocus.com/bid/105580