IBM Support

Security Bulletin: IBM Worklight Android Pseudo Random Number Generator Weakness (CVE-2013-5391)

Security Bulletin


Summary

Android applications that use Java Cryptography Architecture for key generation, signing or random number generation might not receive cryptographically strong values due to improper initialization of the underlying Pseudo Random Number Generator.

Vulnerability Details

CVEID: CVE-2013-5391
DESCRIPTION: A vulnerability exists in the Android operating system where the pseudo random number generator (PRNG) is not properly initialized. As a result of this vulnerability, Worklight programs on Android that use the Java Cryptography Architecture (JCA) for key generation, signing, or random number generation might not receive cryptographically strong values.

This issue affects IBM Worklight customer applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the '{localKeyGen: true}' option. It can also affect IBM Worklight applications on Android if the customer application logic makes use of the JCA functions that are previously described.

CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/87128 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/Au:S/C:P/I:N/A:N)

Affected Products and Versions

  • IBM Worklight Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Worklight Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Consumer Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.0, 5.0.5, 5.0.6, and 6.0.0

Remediation/Fixes

This issue is tracked using APAR PI06709. The fix is included in the following product versions:

  • IBM Worklight Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Worklight Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Worklight EnterpriseEdition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation Consumer Edition Versions 6.0.0 Fix Pack 2
  • IBM Mobile Foundation Enterprise Edition Versions 5.0.6 Fix Pack 2
  • IBM Mobile Foundation EnterpriseEdition Versions 6.0.0 Fix Pack 2

Workarounds and Mitigations

IBM Worklight applications on Android that make use of JSONStore local data storage with encryption enabled and have initialized the JSONStore collection using the '{localKeyGen: true}' option can be updated to avoid using the '{localKeyGen: true}' option.

Alternatively, you can update applications to implement the fix that is suggested by Google in their Some SecureRandom Thoughts blog posting.

Get Notified about Future Security Bulletins

Subscribe to My Notifications to be notified of important product support alerts like this.

References

Complete CVSS v2 Guide
On-line Calculator v2

Off

Related Information

IBM Secure Engineering Web Portal
IBM Product Security Incident Response Blog

Change History

* 26 February 2014: Original copy published

*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.

Disclaimer

Review the IBM security bulletin disclaimer and definitions regarding your responsibilities for assessing potential impact of security vulnerabilities to your environment.

[{"Product":{"code":"SSZH4A","label":"IBM Worklight"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"PF003","label":"Android"}],"Version":"6.0;5.0.6","Edition":"Consumer;Enterprise","Line of Business":{"code":"LOB45","label":"Automation"}},{"Product":{"code":"SS4HGH","label":"IBM Mobile Foundation"},"Business Unit":{"code":"BU053","label":"Cloud & Data Platform"},"Component":"Security","Platform":[{"code":"","label":"Google Android"}],"Version":"6.0;5.0.6","Edition":"Consumer;Enterprise","Line of Business":{"code":"LOB45","label":"Automation"}}]

Document Information

Modified date:
17 June 2018

UID

swg21665731

Page Feedback