First published: Tue Jul 10 2018(Updated: )
Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.
Credit: security_alert@emc.com
Affected Software | Affected Version | How to fix |
---|---|---|
Pivotal Software Operations Manager | >=1.12<1.12.22 | |
Pivotal Software Operations Manager | >2.0<2.0.15 | |
Pivotal Software Operations Manager | >=2.1.0<2.1.6 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2018-11045 is a vulnerability in Pivotal Operations Manager versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22.
CVE-2018-11045 has a severity level of medium with a severity score of 5.9.
CVE-2018-11045 affects Pivotal Operations Manager versions 2.1 prior to 2.1.6, 2.0 prior to 2.0.15, and 1.12 prior to 1.12.22 by containing a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image.
An attacker with knowledge of the exact version and IaaS of a running OpsManager could exploit CVE-2018-11045 to obtain the LRNG seed file, potentially compromising cryptographic keys used by the system.
Yes, updating to Pivotal Operations Manager versions 2.1.6, 2.0.15, and 1.12.22 or later will resolve the vulnerability.