Sakai kernel-impl: predictable PRNG used to generate server‑side encryption key in EncryptionUtilityServiceImpl

Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a non‑cryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or at‑rest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

PRNG中使用可预测种子

Sakai 安全漏洞

Sakai是Apereo Sakai开源的一个免费提供、功能丰富的技术解决方案，用于学习、教学、研究和协作。 Sakai 23.5之前版本和25.0之前版本存在安全漏洞，该漏洞源于使用非加密伪随机数生成器初始化AES256TextEncryptor密码，可能导致密钥被预测和数据解密。

N/A

N/A