Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.
[
{
"product": "Pivotal Operations Manager",
"vendor": "Pivotal",
"versions": [
{
"lessThan": "2.1.6",
"status": "affected",
"version": "2.1",
"versionType": "custom"
},
{
"lessThan": "2.0.15",
"status": "affected",
"version": "2.0",
"versionType": "custom"
},
{
"lessThan": "1.12.22",
"status": "affected",
"version": "1.12",
"versionType": "custom"
}
]
}
]