Vulnerabilities

1 via 1 paths

Dependencies

6

Source

GitHub

Commit

1487e3dd

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
Status
  • 1
  • 0
  • 0

critical severity

Insecure Random Number Generation

  • Vulnerable module: com.typesafe.akka:akka-actor_2.12
  • Introduced through: com.typesafe.akka:akka-actor_2.12@2.5.4

Detailed paths

  • Introduced through: mramshaw/paho-akka@mramshaw/paho-akka#1487e3dd82590c048aad380946794fcf5a948a7b com.typesafe.akka:akka-actor_2.12@2.5.4
    Remediation: Upgrade to com.typesafe.akka:akka-actor_2.12@2.5.16.

Overview

com.typesafe.akka:akka-actor_2.12 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.

Affected versions of this package are vulnerable to Insecure Random Number Generation. When a custom random number generator is configured, if the AES128CounterSecureRNG and AES256CounterSecureRNG are enabled, a malicious user could easily guess the random number used during encryption and possibly eavesdrop onto ongoing communications. This is due a bug in the AES128CounterSecureRNG and AES256CounterSecureRNG implementations, causing the generated numbers to repeat themselves after a few bytes.

Remediation

Upgrade com.typesafe.akka:akka-actor_2.12 to version 2.5.16 or higher.

References