Spring Security Advisories

CVE-2019-3795: Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security

LOW | APRIL 04, 2019 | CVE-2019-3795

Description

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

Affected Spring Products and Versions

  • Spring Security 4.2 to 4.2.11
  • Spring Security 5.0 to 5.0.11
  • Spring Security 5.1 to 5.1.4

Mitigation

Users of affected versions should apply the following mitigation:

  • 4.2.x users should upgrade to 4.2.12
  • 5.0.x users should upgrade to 5.0.12
  • 5.1.x users should upgrade to 5.1.5

Credit

This issue was identified and responsibly reported by Thijs Alkemade.

History

  • 2019-04-02: Initial vulnerability report published.

Get ahead

VMware offers training and certification to turbo-charge your progress.

Learn more

Get support

Tanzu Spring Runtime offers support and binaries for OpenJDK™, Spring, and Apache Tomcat® in one simple subscription.

Learn more

Upcoming events

Check out all the upcoming events in the Spring community.

View all