CVE Vulnerabilities

CVE-2013-7372

Published: Apr 29, 2014 | Modified: Apr 30, 2014
CVSS 3.x
N/A
Source:
NVD
CVSS 2.x
5 MEDIUM
AV:N/AC:L/Au:N/C:N/I:P/A:N
RedHat/V2
RedHat/V3
Ubuntu

The engineNextBytes function in classlib/modules/security/src/main/java/common/org/apache/harmony/security/provider/crypto/SHA1PRNG_SecureRandomImpl.java in the SecureRandom implementation in Apache Harmony through 6.0M3, as used in the Java Cryptography Architecture (JCA) in Android before 4.4 and other products, when no seed is provided by the user, uses an incorrect offset value, which makes it easier for attackers to defeat cryptographic protection mechanisms by leveraging the resulting PRNG predictability, as exploited in the wild against Bitcoin wallet applications in August 2013.

Affected Software

Name Vendor Start Version End Version
Android Google 4.2 4.2
Android Google 4.1 4.1
Android Google 4.0.2 4.0.2
Android Google * 4.3.1
Android Google 4.0.4 4.0.4
Android Google 4.3 4.3
Android Google 4.0.1 4.0.1
Android Google 4.2.1 4.2.1
Android Google 4.0.3 4.0.3
Android Google 4.0 4.0
Android Google 4.2.2 4.2.2
Harmony Apache * 6.0
Android Google 4.1.2 4.1.2

References