CWE-329 Missing Random IV in CBC Mode

Description

Missing Random IV in CBC Mode

Reference: https://cwe.mitre.org/data/definitions/329.html

OWASP Category: A02:2021 – Cryptographic Failures

---

Vulnerable Pattern

❌ Example 1: Vulnerable Pattern

// VULNERABLE: Static IV reused
private static final byte[] STATIC_IV = "1234567890123456".getBytes();

Cipher cipher = Cipher.getInstance("AES/CBC/PKCS5Padding");
cipher.init(Cipher.ENCRYPT_MODE, key, new IvParameterSpec(STATIC_IV));

Why it's vulnerable: This pattern is vulnerable to Missing Random IV in CBC Mode

---

Deterministic Fix

✅ Secure Implementation: Secure Implementation

// SECURE: Generate random IV for each encryption
public byte[] encrypt(byte[] plaintext, SecretKey key) throws Exception {
    // Generate random IV
    byte[] iv = new byte[16];
    new SecureRandom().nextBytes(iv);

    Cipher cipher = Cipher.getInstance("AES/GCM/NoPadding");  // GCM preferred
    cipher.init(Cipher.ENCRYPT_MODE, key, new GCMParameterSpec(128, iv));
    byte[] ciphertext = cipher.doFinal(plaintext);

    // Prepend IV to ciphertext for decryption
    byte[] result = new byte[iv.length + ciphertext.length];
    System.arraycopy(iv, 0, result, 0, iv.length);
    System.arraycopy(ciphertext, 0, result, iv.length, ciphertext.length);
    return result;
}

Why it's secure: Implements proper protection against Missing Random IV in CBC Mode

---

Detection Pattern

Look for these patterns in your codebase:

# Find static IV patterns
grep -rn "IvParameterSpec.*static\|final.*IV" --include="*.java"

---

Remediation Steps

1. Generate new random IV for each encryption operation

2. Use SecureRandom for IV generation

3. Prefer AES-GCM over AES-CBC for authenticated encryption

4. Store IV with ciphertext (it's not secret)

---

Key Imports

import java.security.SecureRandom;

import javax.crypto.spec.GCMParameterSpec;

---

Verification

After remediation:

• Run SAST scanner to confirm vulnerability is resolved

• Review all instances of the vulnerable pattern

• Add unit tests that verify the secure implementation

• Check for similar patterns in related code

---

Trigger Examples

Fix CWE-329 vulnerability
Resolve Missing Random IV in CBC Mode issue
Secure this Java code against missing random iv in cbc mode
SAST reports CWE-329

---

Common Vulnerable Locations

Layer	Files	Patterns

| Controller | *Controller.java | User input handling |

| Service | *Service.java | Business logic |

| Repository | *Repository.java | Data access |

---

References

• CWE-329: Not Using Random IV

---

Source: Generated by Java CWE Security Skills Generator Last Updated: 2026-03-07