CVE-2019-3795: Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
Severity
Low
Vendor
Spring by Pivotal
Description
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Affected Pivotal Products and Versions
Severity is low unless otherwise noted.
- Spring Security 4.2 to 4.2.11
- Spring Security 5.0 to 5.0.11
- Spring Security 5.1 to 5.1.4
Mitigation
Users of affected versions should apply the following mitigation:
- 4.2.x users should upgrade to 4.2.12
- 5.0.x users should upgrade to 5.0.12
- 5.1.x users should upgrade to 5.1.5
Credit
This issue was identified and responsibly reported by Thijs Alkemade.
History
2019-04-02: Initial vulnerability report published.