Insecure Random Number Generation Affecting com.typesafe.akka:akka-actor_2.12 package, versions [2.5.0, 2.5.16)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.Test your applications
22 Jul 2019
29 Aug 2018
How to fix?
com.typesafe.akka:akka-actor_2.12 to version 2.5.16 or higher.
com.typesafe.akka:akka-actor_2.12 is a toolkit for building highly concurrent, distributed, and resilient message-driven applications for Java and Scala.
Affected versions of this package are vulnerable to Insecure Random Number Generation. When a custom random number generator is configured, if the
AES256CounterSecureRNG are enabled, a malicious user could easily guess the random number used during encryption and possibly eavesdrop onto ongoing communications. This is due a bug in the
AES256CounterSecureRNG implementations, causing the generated numbers to repeat themselves after a few bytes.