Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
ibmIBM158C479FC950A1AB1F5EFF833524310D00913538926CEA2DD087ECE583179DC4
HistoryJun 17, 2018 - 10:31 p.m.

Security Bulletin: IBM Worklight Android Pseudo Random Number Generator Weakness (CVE-2013-5391)

2018-06-1722:31:16
www.ibm.com
8

0.001 Low

EPSS

Percentile

20.4%

JSON

Summary

Android applications that use Java Cryptography Architecture for key generation, signing or random number generation might not receive cryptographically strong values due to improper initialization of the underlying Pseudo Random Number Generator.

Vulnerability Details

CVEID: CVE-2013-5391 **DESCRIPTION: **A vulnerability exists in the Android operating system where the pseudo random number generator (PRNG) is not properly initialized. As a result of this vulnerability, Worklight programs on Android that use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation might not receive cryptographically strong values.

This issue affects IBM Worklight customer applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the ‘{localKeyGen: true}’ option. It can also affect IBM Worklight applications on Android if the customer application logic makes use of the JCA functions that are previously described.

CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/87128&gt; for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

  • IBM Worklight Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Worklight Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0

Remediation/Fixes

This issue is tracked using APAR PI06709. The fix is included in the following product versions:

  • IBM Worklight Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Worklight Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight EnterpriseEdition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation EnterpriseEdition Versions 6.0.0 Fix Pack 2

Workarounds and Mitigations

IBM Worklight applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the ‘{localKeyGen: true}’ option can be updated to avoid using the ‘{localKeyGen: true}’ option.

Alternatively, you can update applications to implement the fix that is suggested by Google in their Some SecureRandom Thoughts blog posting.

Related

cve 1
cvelist 1
prion 1
nvd 1
cve
cve
CVE-2013-5391
2018-04-27 16:29:00
cvelist
cvelist
CVE-2013-5391
2018-04-27 16:00:00
prion
prion
Input validation
2018-04-27 16:29:00
nvd
nvd
CVE-2013-5391
2018-04-27 16:29:00

0.001 Low

EPSS

Percentile

20.4%

JSON
Related for 158C479FC950A1AB1F5EFF833524310D00913538926CEA2DD087ECE583179DC4
cve1cvelist1prion1nvd1