CVE-2018-11045Use of Insufficiently Random Values in Operations Manager

CWE-330Use of Insufficiently Random Values3 documents3 sources
Severity
5.9MEDIUMNVD
EPSS
0.3%
top 47.74%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Pivotal Operations ManagerPivotal Software Operations Manager
Timeline
PublishedJul 11
Latest updateMay 14

Description

Pivotal Operations Manager, versions 2.1 prior to 2.1.6 and 2.0 prior to 2.0.15 and 1.12 prior to 1.12.22, contains a static Linux Random Number Generator (LRNG) seed file embedded in the appliance image. An attacker with knowledge of the exact version and IaaS of a running OpsManager could get the contents of the corresponding seed from the published image and therefore infer the initial state of the LRNG.

CVSS vector

CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 2.2 | Impact: 3.6

Affected Packages2 packages

CVEListV5pivotal/pivotal_operations_manager2.12.1.6+2
NVDpivotal_software/operations_manager1.121.12.22+2

🔴Vulnerability Details

2
GHSA
GHSA-2m5c-4ccv-xpr3: Pivotal Operations Manager, versions 22022-05-14
CVEList
CVE-2018-11045: Pivotal Operations Manager, versions 22018-07-11
CVE-2018-11045 — Use of Insufficiently Random Values | cvebase