Medium severity5.9NVD Advisory· Published Dec 31, 2015· Updated May 6, 2026
CVE-2015-2913
CVE-2015-2913
Description
server/network/protocol/http/OHttpSessionManager.java in the Studio component in OrientDB Server Community Edition before 2.0.15 and 2.1.x before 2.1.1 improperly relies on the java.util.Random class for generation of random Session ID values, which makes it easier for remote attackers to predict a value by determining the internal state of the PRNG in this class.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.orientechnologies:orientdb-serverMaven | < 2.0.15 | 2.0.15 |
com.orientechnologies:orientdb-serverMaven | >= 2.1.0, < 2.1.1 | 2.1.1 |
Affected products
2Patches
1668ece96be21Adopted SecureRandom to avoid predicable random numbers in session
1 file changed · +136 −135
server/src/main/java/com/orientechnologies/orient/server/network/protocol/http/OHttpSessionManager.java+136 −135 modified@@ -1,141 +1,142 @@ /* - * - * * Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com) - * * - * * Licensed under the Apache License, Version 2.0 (the "License"); - * * you may not use this file except in compliance with the License. - * * You may obtain a copy of the License at - * * - * * http://www.apache.org/licenses/LICENSE-2.0 - * * - * * Unless required by applicable law or agreed to in writing, software - * * distributed under the License is distributed on an "AS IS" BASIS, - * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * * See the License for the specific language governing permissions and - * * limitations under the License. - * * - * * For more information: http://www.orientechnologies.com - * - */ + * + * * Copyright 2014 Orient Technologies LTD (info(at)orientechnologies.com) + * * + * * Licensed under the Apache License, Version 2.0 (the "License"); + * * you may not use this file except in compliance with the License. + * * You may obtain a copy of the License at + * * + * * http://www.apache.org/licenses/LICENSE-2.0 + * * + * * Unless required by applicable law or agreed to in writing, software + * * distributed under the License is distributed on an "AS IS" BASIS, + * * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * * See the License for the specific language governing permissions and + * * limitations under the License. + * * + * * For more information: http://www.orientechnologies.com + * + */ package com.orientechnologies.orient.server.network.protocol.http; import com.orientechnologies.common.concur.resource.OSharedResourceAbstract; - import com.orientechnologies.common.log.OLogManager; - import com.orientechnologies.orient.core.Orient; - import com.orientechnologies.orient.core.config.OGlobalConfiguration; - - import java.util.HashMap; - import java.util.Iterator; - import java.util.Map; - import java.util.Map.Entry; - import java.util.Random; - import java.util.TimerTask; +import com.orientechnologies.common.log.OLogManager; +import com.orientechnologies.orient.core.Orient; +import com.orientechnologies.orient.core.config.OGlobalConfiguration; + +import java.security.SecureRandom; +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; +import java.util.Map.Entry; +import java.util.Random; +import java.util.TimerTask; /** - * Handles the HTTP sessions such as a real HTTP Server. - * - * @author Luca Garulli - */ - public class OHttpSessionManager extends OSharedResourceAbstract { - private static final OHttpSessionManager instance = new OHttpSessionManager(); - private Map<String, OHttpSession> sessions = new HashMap<String, OHttpSession>(); - private int expirationTime; - private Random random = new Random(); - - protected OHttpSessionManager() { - expirationTime = OGlobalConfiguration.NETWORK_HTTP_SESSION_EXPIRE_TIMEOUT.getValueAsInteger() * 1000; - - Orient.instance().scheduleTask(new TimerTask() { - @Override - public void run() { - final int expired = checkSessionsValidity(); - if (expired > 0) - OLogManager.instance().debug(this, "Removed %d session because expired", expired); - } - }, expirationTime, expirationTime); - } - - public int checkSessionsValidity() { - int expired = 0; - - acquireExclusiveLock(); - try { - final long now = System.currentTimeMillis(); - - Entry<String, OHttpSession> s; - for (Iterator<Map.Entry<String, OHttpSession>> it = sessions.entrySet().iterator(); it.hasNext();) { - s = it.next(); - - if (now - s.getValue().getUpdatedOn() > expirationTime) { - // REMOVE THE SESSION - it.remove(); - expired++; - } - } - - } finally { - releaseExclusiveLock(); - } - - return expired; - } - - public OHttpSession[] getSessions() { - acquireSharedLock(); - try { - - return (OHttpSession[]) sessions.values().toArray(new OHttpSession[sessions.size()]); - - } finally { - releaseSharedLock(); - } - } - - public OHttpSession getSession(final String iId) { - acquireSharedLock(); - try { - - final OHttpSession sess = sessions.get(iId); - if (sess != null) - sess.updateLastUpdatedOn(); - return sess; - - } finally { - releaseSharedLock(); - } - } - - public String createSession(final String iDatabaseName, final String iUserName, final String iUserPassword) { - acquireExclusiveLock(); - try { - final String id = "OS" + System.currentTimeMillis() + random.nextLong(); - sessions.put(id, new OHttpSession(id, iDatabaseName, iUserName, iUserPassword)); - return id; - - } finally { - releaseExclusiveLock(); - } - } - - public OHttpSession removeSession(final String iSessionId) { - acquireExclusiveLock(); - try { - return sessions.remove(iSessionId); - - } finally { - releaseExclusiveLock(); - } - } - - public int getExpirationTime() { - return expirationTime; - } - - public void setExpirationTime(int expirationTime) { - this.expirationTime = expirationTime; - } - - public static OHttpSessionManager getInstance() { - return instance; - } - } + * Handles the HTTP sessions such as a real HTTP Server. + * + * @author Luca Garulli + */ +public class OHttpSessionManager extends OSharedResourceAbstract { + private static final OHttpSessionManager instance = new OHttpSessionManager(); + private Map<String, OHttpSession> sessions = new HashMap<String, OHttpSession>(); + private int expirationTime; + private Random random = new SecureRandom(); + + protected OHttpSessionManager() { + expirationTime = OGlobalConfiguration.NETWORK_HTTP_SESSION_EXPIRE_TIMEOUT.getValueAsInteger() * 1000; + + Orient.instance().scheduleTask(new TimerTask() { + @Override + public void run() { + final int expired = checkSessionsValidity(); + if (expired > 0) + OLogManager.instance().debug(this, "Removed %d session because expired", expired); + } + }, expirationTime, expirationTime); + } + + public int checkSessionsValidity() { + int expired = 0; + + acquireExclusiveLock(); + try { + final long now = System.currentTimeMillis(); + + Entry<String, OHttpSession> s; + for (Iterator<Map.Entry<String, OHttpSession>> it = sessions.entrySet().iterator(); it.hasNext();) { + s = it.next(); + + if (now - s.getValue().getUpdatedOn() > expirationTime) { + // REMOVE THE SESSION + it.remove(); + expired++; + } + } + + } finally { + releaseExclusiveLock(); + } + + return expired; + } + + public OHttpSession[] getSessions() { + acquireSharedLock(); + try { + + return (OHttpSession[]) sessions.values().toArray(new OHttpSession[sessions.size()]); + + } finally { + releaseSharedLock(); + } + } + + public OHttpSession getSession(final String iId) { + acquireSharedLock(); + try { + + final OHttpSession sess = sessions.get(iId); + if (sess != null) + sess.updateLastUpdatedOn(); + return sess; + + } finally { + releaseSharedLock(); + } + } + + public String createSession(final String iDatabaseName, final String iUserName, final String iUserPassword) { + acquireExclusiveLock(); + try { + final String id = "OS" + System.currentTimeMillis() + random.nextLong(); + sessions.put(id, new OHttpSession(id, iDatabaseName, iUserName, iUserPassword)); + return id; + + } finally { + releaseExclusiveLock(); + } + } + + public OHttpSession removeSession(final String iSessionId) { + acquireExclusiveLock(); + try { + return sessions.remove(iSessionId); + + } finally { + releaseExclusiveLock(); + } + } + + public int getExpirationTime() { + return expirationTime; + } + + public void setExpirationTime(int expirationTime) { + this.expirationTime = expirationTime; + } + + public static OHttpSessionManager getInstance() { + return instance; + } +}
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-v6wr-fch2-vm5wghsaADVISORY
- github.com/orientechnologies/orientdb/commit/668ece96be210e742a4e2820a3085b215cf55104nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2015-2913ghsaADVISORY
- www.kb.cert.org/vuls/id/845332nvdThird Party AdvisoryUS Government ResourceWEB
News mentions
0No linked articles in our index yet.