IBM Support

Security Bulletin: IBM Worklight Android Pseudo Random Number Generator Weakness (CVE-2013-5391)

Security Bulletin


Summary

Android applications that use Java Cryptography Architecture for key generation, signing or random number generation might not receive cryptographically strong values due to improper initialization of the underlying Pseudo Random Number Generator.

Vulnerability Details

CVEID: CVE-2013-5391
DESCRIPTION: A vulnerability exists in the Android operating system where the pseudo random number generator (PRNG) is not properly initialized. As a result of this vulnerability, Worklight programs on Android that use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation might not receive cryptographically strong values.

This issue affects IBM Worklight customer applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the '{localKeyGen: true}' option. It can also affect IBM Worklight applications on Android if the customer application logic makes use of the JCA functions that are previously described.

CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87128 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

  • IBM Worklight Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Worklight Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0

Remediation/Fixes

This issue is tracked using APAR PI06709. The fix is included in the following product versions:

  • IBM Worklight Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Worklight Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight EnterpriseEdition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation EnterpriseEdition Versions 6.0.0 Fix Pack 2

Workarounds and Mitigations

IBM Worklight applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the '{localKeyGen: true}' option can be updated to avoid using the '{localKeyGen: true}' option.

Alternatively, you can update applications to implement the fix that is suggested by Google in their Some SecureRandom Thoughts blog posting.

Get Notified about Future Security Bulletins

References

Off

Change History

* 26 February 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.

[{"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF003","label":"Android"}],"Version":"6.0;5.0.6","Edition":"Consumer;Enterprise","Line of Business":{"code":"LOB36","label":"IBM Automation"}},{"Product":{"code":"SS4HGH","label":"IBM Mobile Foundation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"","label":"Google Android"}],"Version":"6.0;5.0.6","Edition":"Consumer;Enterprise","Line of Business":{"code":"LOB36","label":"IBM Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21665731