Vulnerabilities > CVE-2018-1426 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG) vulnerability in IBM DB2

CVSS 6.4 - MEDIUM

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

NONE

network

low complexity

NVD

Published: 2018-03-22

Updated: 2020-08-24

Summary

IBM GSKit (IBM DB2 for Linux, UNIX and Windows 9.7, 10.1, 10.5, and 11.1) duplicates the PRNG state across fork() system calls when multiple ICC instances are loaded which could result in duplicate Session IDs and a risk of duplicate key material. IBM X-Force ID: 139071.

Vulnerable Configurations

Part	Description	Count
Application	Ibm IBM DB2 9.7 IBM DB2 10.1 IBM DB2 10.5 IBM DB2 11.1	4
OS	Linux Linux Linux Kernel *	1
OS	Microsoft Microsoft Windows -	1

Common Weakness Enumeration (CWE)

CWE-335 - Incorrect Usage of Seeds in Pseudo-Random Number Generator (PRNG)

References

http://www.ibm.com/support/docview.wss?uid=swg22013756
http://www.securityfocus.com/bid/105580
http://www.securitytracker.com/id/1041012
https://exchange.xforce.ibmcloud.com/vulnerabilities/139071