CVE-2018-16115

Name of the Vulnerable Software and Affected Versions Lightbend Akka versions 2.5.x through 2.5.15

Description The issue allows message disclosure and modification due to an RNG error in Akka Remoting for TLS. A random number generator is used, and Akka permits configuration of custom random number generators. The custom RNG implementations, AES128CounterSecureRNG and AES256CounterSecureRNG, had a bug causing repeated generated numbers after a few bytes. Although not configured by default, examples in the documentation implicitly recommended using these custom implementations. This could enable an attacker to compromise communication if these random number generators are enabled, allowing eavesdropping, replaying, or modifying messages sent with Akka Remoting/Cluster.

Recommendations For Lightbend Akka versions 2.5.x through 2.5.15, update to version 2.5.16 or later to resolve the issue. As a temporary workaround, consider disabling the custom random number generators AES128CounterSecureRNG and AES256CounterSecureRNG until a patch is available. Restrict access to Akka Remoting/Cluster to minimize the risk of exploitation. Avoid using the custom RNG implementations in the configuration until the issue is resolved.