CVE-2018-16115 – CVE-2018-16115 is a cryptographic vulnerability... (How to Fix)

Q: What is the severity of CVE-2018-16115?

CVE-2018-16115 has a CVSS score of 9.1 (CRITICAL). CVE-2018-16115 is a cryptographic vulnerability in Lightbend Akka 2.5.x that allows attackers to compromise TLS-secured communications when custom random number generators are enabled. The bug causes predictable random number generation, enabling message disclosure, modification, and replay attacks. Only Akka deployments using the vulnerable AES128CounterSecureRNG or AES256CounterSecureRNG configurations are affected.

📋 TL;DR

CVE-2018-16115 is a cryptographic vulnerability in Lightbend Akka 2.5.x that allows attackers to compromise TLS-secured communications when custom random number generators are enabled. The bug causes predictable random number generation, enabling message disclosure, modification, and replay attacks. Only Akka deployments using the vulnerable AES128CounterSecureRNG or AES256CounterSecureRNG configurations are affected.

💻 Affected Systems

Products:

Lightbend Akka

Versions: 2.5.0 through 2.5.15

Operating Systems: All platforms running Akka

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when explicitly configured to use AES128CounterSecureRNG or AES256CounterSecureRNG random number generators. Default configuration uses secure RNG.

📦 What is this software?

Akka by Lightbend

View all CVEs affecting Akka →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all Akka Remoting/Cluster communications including eavesdropping, message modification, replay attacks, and potential data exfiltration or system takeover.

🟠

Likely Case

Unauthorized access to sensitive data transmitted between Akka nodes, potential message manipulation in distributed systems.

🟢

If Mitigated

No impact if using default RNG configuration or properly patched versions.

🌐 Internet-Facing: HIGH - If Akka Remoting is exposed to untrusted networks with vulnerable RNG configuration, attackers can intercept and manipulate communications.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this to intercept sensitive inter-service communications.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: MEDIUM

Exploitation requires network access to Akka Remoting endpoints and knowledge of the vulnerable configuration. The cryptographic weakness makes attacks feasible for skilled adversaries.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Akka 2.5.16 and later

Vendor Advisory: https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html

Restart Required: Yes

Instructions:

1. Upgrade to Akka 2.5.16 or later. 2. Remove any configuration references to AES128CounterSecureRNG or AES256CounterSecureRNG. 3. Restart all Akka applications and nodes. 4. Verify configuration uses default secure RNG.

🔧 Temporary Workarounds

Disable vulnerable RNG configurations

all

Remove custom RNG configurations to revert to default secure random number generator

Remove or comment out any 'akka.remote.artery.advanced.random-number-generator' or 'akka.remote.classic.security.random-number-generator' configurations referencing AES128CounterSecureRNG or AES256CounterSecureRNG

🧯 If You Can't Patch

Immediately disable AES128CounterSecureRNG and AES256CounterSecureRNG configurations and revert to default RNG
Isolate Akka Remoting traffic to trusted networks only and implement additional network-level encryption

🔍 How to Verify

Check if Vulnerable:

Check Akka configuration files for references to AES128CounterSecureRNG or AES256CounterSecureRNG in random-number-generator settings. Verify Akka version is between 2.5.0 and 2.5.15.

Check Version:

Check application logs for Akka version or use: java -cp "akka-actor_2.12-*.jar" -Dakka.version.check

Verify Fix Applied:

Confirm Akka version is 2.5.16 or higher and configuration files contain no references to the vulnerable RNG implementations.

📡 Detection & Monitoring

Log Indicators:

Configuration warnings about deprecated or insecure RNG
Unexpected connection resets or TLS handshake failures in Akka Remoting

Network Indicators:

Unusual patterns in encrypted traffic between Akka nodes
Repeated cryptographic nonces or initialization vectors

SIEM Query:

Search for configuration files containing 'AES128CounterSecureRNG' OR 'AES256CounterSecureRNG' in path patterns matching Akka deployments

📊 Metadata

CVE ID: CVE-2018-16115

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-338

Published: August 29, 2018

Last Updated: November 21, 2024

🔗 References

https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html Vendor Advisory
https://doc.akka.io/docs/akka/current/security/2018-08-29-aes-rng.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-16115, you might also want to check these: