CVE-2014-0878
Description
The IBMSecureRandom component in IBM SDK Java Technology Edition has a flawed seeding mechanism that allows attackers to predict random number generator output, weakening cryptographic protections.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
The IBMSecureRandom component in IBM SDK Java Technology Edition has a flawed seeding mechanism that allows attackers to predict random number generator output, weakening cryptographic protections.
Vulnerability
CVE-2014-0878 is a flaw in the seeding mechanism of the IBMSecureRandom implementation within the IBMJCE and IBMSecureRandom cryptographic providers included in IBM SDK Java Technology Edition [2]. The following versions are affected: 5.0 before Service Refresh 16 FP6, 6 before Service Refresh 16, 6.0.1 before Service Refresh 8, 7 before Service Refresh 7, and 7R1 before Service Refresh 1 [2]. The vulnerability makes it easier for an attacker to predict the output of the random number generator under certain circumstances [2][3].
Exploitation
An attacker with network access to a system using the affected cryptographic providers could, under specific conditions, predict the random seed or output of IBMSecureRandom [2]. The attack requires moderate complexity (CVSS AC:M) and no authentication [2][3]. The exact sequence of steps is not disclosed in the available references, but the flaw resides in the seeding mechanism, implying that an attacker could observe or influence the seed generation to predict subsequent random values [1][2].
Impact
Successful exploitation allows an attacker to defeat cryptographic protection mechanisms by predicting random number generator output [2]. This leads to partial confidentiality impact (disclosure of sensitive information) and partial integrity impact (ability to forge or modify cryptographic operations) [2][3]. The CVSS base score is 5.8 (AV:N/AC:M/Au:N/C:P/I:P/A:N) [2][3]. The attacker does not gain direct code execution but can undermine cryptographic security.
Mitigation
IBM has released fixes by upgrading the affected SDK components to Java 6 Service Refresh 16 (SR16) [1][3]. For IBM SmartCloud Provisioning 2.1.0, the fix is included in Fix Pack 5 (2.1.0.5) [1]. For other products, the vendor advises applying the latest available IBM SDK Java Technology Edition updates as listed in security bulletin 21672043 [2]. No workaround is documented. The CVE is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.
- SmartCloud Provisioning 2.1 Fix Pack 5 (SCP
- Security Bulletin: Multiple vulnerabilities in current releases of the IBM® SDK, Java™ Technology Edition
- Security Bulletin: Security vulnerabilities in IBM SDK, Java™ Technology Edition (CVE-2014-0878, CVE-2014-0460, CVE-2014-0453, CVE-2014-2420) affect SmartCloud Provisioning
AI Insight generated on May 23, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
54cpe:2.3:a:ibm:java_sdk:5.0.0.0:*:*:*:technology:*:*:*+ 52 more
- cpe:2.3:a:ibm:java_sdk:5.0.0.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.11.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.11.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.11.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.3:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.4:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.12.5:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.13.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.14.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.15.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.3:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.4:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:5.0.16.5:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.0.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.10.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.10.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.1.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.11.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.12.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.13.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.13.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.13.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.14.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.15.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.15.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.2.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.3.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.4.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.5.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.6.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.7.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.8.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.8.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.9.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.9.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:6.0.9.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.0.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.1.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.2.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.3.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.4.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.4.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.4.2:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.5.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.6.0:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.0.6.1:*:*:*:technology:*:*:*
- cpe:2.3:a:ibm:java_sdk:7.1.0.0:*:*:*:technology:*:*:*
- Range: >=5.0 <5.0 SR16 FP6, >=6 <6 SR16, >=6.0.1 <6.0.1 SR8, >=7 <7 SR7, >=7R1 <7R1 SR1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
22- www-01.ibm.com/support/docview.wssnvdVendor Advisory
- www-01.ibm.com/support/docview.wssnvdVendor Advisory
- www-01.ibm.com/support/docview.wssnvdVendor Advisory
- secunia.com/advisories/59022nvd
- secunia.com/advisories/59023nvd
- secunia.com/advisories/59058nvd
- secunia.com/advisories/61264nvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www-01.ibm.com/support/docview.wssnvd
- www.ibm.com/support/docview.wssnvd
- www.ibm.com/support/docview.wssnvd
- www.ibm.com/support/docview.wssnvd
- www.securityfocus.com/bid/67601nvd
- exchange.xforce.ibmcloud.com/vulnerabilities/91084nvd
News mentions
0No linked articles in our index yet.