cwe-329-missing-random-iv

star 1

Use this skill when you need to remediate CWE-329 (Missing Random IV in CBC Mode) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing random iv in cbc mode issues.

DevelopersCoffee By DevelopersCoffee schedule Updated 3/6/2026
play_arrow Run Skill in Manus View GitHub

name: cwe-329-missing-random-iv description: Use this skill when you need to remediate CWE-329 (Missing Random IV in CBC Mode) vulnerabilities in Java code. Triggers on SAST findings, security reviews, or when fixing missing random iv in cbc mode issues. version: 1.0.0 license: MIT tags:

  • security
  • java
  • cwe-329
  • remediation
  • sast

CWE-329 Missing Random IV in CBC Mode

Description

Missing Random IV in CBC Mode

Reference: https://cwe.mitre.org/data/definitions/329.html

OWASP Category: A02:2021 – Cryptographic Failures

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Static IV reused
private static final byte[] STATIC_IV = "1234567890123456".getBytes();

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(STATIC_IV));

Why it's vulnerable: This pattern is vulnerable to Missing Random IV in CBC Mode

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Generate random IV for each encryption
public byte[] encrypt(byte[] plaintext, SecretKey key) throws Exception {
    // Generate random IV
    byte[] iv = new byte[16];
    new SecureRandom().nextBytes(iv);

    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");  // GCM preferred
    cipher.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, iv));
    byte[] ciphertext = cipher.doFinal(plaintext);

    // Prepend IV to ciphertext for decryption
    byte[] result = new byte[iv.length + ciphertext.length];
    System.arraycopy(iv, 0, result, 0, iv.length);
    System.arraycopy(ciphertext, 0, result, iv.length, ciphertext.length);
    return result;
}

Why it's secure: Implements proper protection against Missing Random IV in CBC Mode

Detection Pattern

Look for these patterns in your codebase:

# Find static IV patterns
grep -rn "IvParameterSpec.*static\|final.*IV" --include="*.java"

Remediation Steps

  1. Generate new random IV for each encryption operation

  2. Use SecureRandom for IV generation

  3. Prefer AES-GCM over AES-CBC for authenticated encryption

  4. Store IV with ciphertext (it's not secret)

Key Imports


import java.security.SecureRandom;

import javax.crypto.spec.GCMParameterSpec;

Verification

After remediation:

  • Run SAST scanner to confirm vulnerability is resolved

  • Review all instances of the vulnerable pattern

  • Add unit tests that verify the secure implementation

  • Check for similar patterns in related code

Trigger Examples

Fix CWE-329 vulnerability
Resolve Missing Random IV in CBC Mode issue
Secure this Java code against missing random iv in cbc mode
SAST reports CWE-329

Common Vulnerable Locations

Layer Files Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

References

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07

Install via CLI
npx skills add https://github.com/DevelopersCoffee/java-cwe-security-skills --skill cwe-329-missing-random-iv
Repository Details
star Stars 1
call_split Forks 0
navigation Branch main
article Path SKILL.md
More from Creator
DevelopersCoffee
DevelopersCoffee Explore all skills →