Sakai Encryption Key Vulnerability in EncryptionUtilityServiceImpl Allows Decryption of Protected Data
Vulnerability
A vulnerability exists in Sakai's EncryptionUtilityServiceImpl component, affecting versions prior to 23.5 and 25.0. The issue arises because the component used a non-cryptographic pseudorandom number generator (PRNG) to initialize an encryption key for AES256 encryption. This predictable key generation process significantly weakened the encryption, as an attacker could potentially reconstruct the key and decrypt data protected by this service. The vulnerability requires access to ciphertexts and knowledge of the PRNG seed to be exploited.
Impact
Exploitation of this vulnerability allows for the decryption of data that has been encrypted using the compromised key, potentially leading to unauthorized access to sensitive information.
Remediation
Users can upgrade to Sakai versions 23.5, 25.0, or the latest trunk version to address this vulnerability.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.