Insecure Random Number Generation
Affecting com.typesafe.akka:akka-actor_2.12 artifact, versions [2.5.0, 2.5.16)Report new vulnerabilities
com.typesafe.akka:akka-actor_2.12 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.
Affected versions of this package are vulnerable to Insecure Random Number Generation. When a custom random number generator is configured, if the
AES256CounterSecureRNG are enabled, a malicious user could easily guess the random number used during encryption and possibly eavesdrop onto ongoing communications. This is due a bug in the
AES256CounterSecureRNG implementations, causing the generated numbers to repeat themselves after a few bytes.
com.typesafe.akka:akka-actor_2.12 to version 2.5.16 or higher.