CVE-2013-7372
First published: Tue Apr 29 2014(Updated: )
The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Apache Harmony | <=6.0 | |
| Google Android | <=4.3.1 | |
| Google Android | =4.0 | |
| Google Android | =4.0.1 | |
| Google Android | =4.0.2 | |
| Google Android | =4.0.3 | |
| Google Android | =4.0.4 | |
| Google Android | =4.1 | |
| Google Android | =4.1.2 | |
| Google Android | =4.2 | |
| Google Android | =4.2.1 | |
| Google Android | =4.2.2 | |
| Google Android | =4.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://android-developers.blogspot.com.au/2013/08/some-securerandom-thoughts.html
- http://www.nds.rub.de/media/nds/veroeffentlichungen/2013/03/25/paper_2.pdf
- https://android.googlesource.com/platform/libcore/+/kitkat-release/luni/src/main/java/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java
- https://bitcoin.org/en/alert/2013-08-11-android
Frequently Asked Questions
What is the severity of CVE-2013-7372?
CVE-2013-7372 is considered a high severity vulnerability due to potential predictability in generated cryptographic random numbers.
How do I fix CVE-2013-7372?
To fix CVE-2013-7372, upgrade to a version of Apache Harmony later than 6.0M3 or an Android version later than 4.3.
What software is affected by CVE-2013-7372?
CVE-2013-7372 affects Apache Harmony versions up to 6.0M3 and Android versions prior to 4.4.
What is the impact of CVE-2013-7372?
The impact of CVE-2013-7372 includes the potential for attackers to predict cryptographic keys resulting from insecure random number generation.
Is CVE-2013-7372 specific to certain Java implementations?
Yes, CVE-2013-7372 specifically affects the Java Cryptography Architecture (JCA) implementation in Apache Harmony and certain Android versions.
- agent/references
- agent/type
- agent/remedy
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/weakness
- agent/author
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/first-publish-date
- agent/source
- vendor/apache
- canonical/apache harmony
- version/apache harmony/6.0
- vendor/google
- canonical/google android
- version/google android/4.3.1
- version/google android/4.0
- version/google android/4.0.1
- version/google android/4.0.2
- version/google android/4.0.3
- version/google android/4.0.4
- version/google android/4.1
- version/google android/4.1.2
- version/google android/4.2
- version/google android/4.2.1
- version/google android/4.2.2
- version/google android/4.3