Insecure Random Number Generation

Affecting com.typesafe.akka:akka-actor_2.12 artifact, versions [2.5.0, 2.5.16)

Report new vulnerabilities
Do your applications use this vulnerable package? Test your applications

Overview

com.typesafe.akka:akka-actor_2.12 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.

Affected versions of this package are vulnerable to Insecure Random Number Generation. When a custom random number generator is configured, if the AES128CounterSecureRNG and AES256CounterSecureRNG are enabled, a malicious user could easily guess the random number used during encryption and possibly eavesdrop onto ongoing communications. This is due a bug in the AES128CounterSecureRNG and AES256CounterSecureRNG implementations, causing the generated numbers to repeat themselves after a few bytes.

Remediation

Upgrade com.typesafe.akka:akka-actor_2.12 to version 2.5.16 or higher.

References

CVSS Score

9.1
high severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    None
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    High
  • Availability
    None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Credit
Rafal Sumislawski
CVE
CVE-2018-16115
CWE
CWE-338
Snyk ID
SNYK-JAVA-COMTYPESAFEAKKA-451679
Disclosed
29 Aug, 2018
Published
22 Jul, 2019