Jetty Insecure Random Number Generation Vulnerability

Bugtraq ID:	22405
Class:	Design Error
CVE:	CVE-2006-6969
Remote:	Yes
Local:	No
Published:	Feb 05 2007 12:00AM
Updated:	May 12 2015 07:34PM
Credit:	Chris Anley is credited with the discovery of this vulnerability.
Vulnerable:	Jetty Jetty 6.0.1 Jetty Jetty 5.1.11 Jetty Jetty 4.2.24 Jetty Jetty 4.2.19 Jetty Jetty 4.2.18 Jetty Jetty 4.2.17 Jetty Jetty 4.2.16 Jetty Jetty 4.2.15 Jetty Jetty 4.2.14 Jetty Jetty 4.2.12 Jetty Jetty 4.2.11 Jetty Jetty 4.2.9 Jetty Jetty 6.1.0pre2
Not Vulnerable:	Jetty Jetty 6.0.2 Jetty Jetty 5.1.12 Jetty Jetty 4.2.27 Jetty Jetty 6.1.0pre3

Jetty Insecure Random Number Generation Vulnerability

Jetty is prone to a vulnerability that lets an attacker determine the seed of a random-number generator.

An attacker can exploit this issue to obtain session IDs. This may allow the attacker to hijack a user's session.

This issue affects versions prior to 4.2.27 for the 4.x series, 5.1.12 for the 5.x series, 6.0.2 for the 6.0x series, and 6.1.0pre3 for the 6.1.x series.

Jetty Insecure Random Number Generation Vulnerability

An attacker can exploit this issue by using standard network utilities.

Jetty Insecure Random Number Generation Vulnerability

Solution:
The vendor released various updates to address this issue. Please see the references for more information.

Jetty Insecure Random Number Generation Vulnerability

References:

• Jetty Changelog (Jetty)
  
• Jetty Session ID Prediction ([email protected])
  
• NGSSoftware Insight Security Research ([email protected])