Bug 1696616 (CVE-2019-3795)

Summary: CVE-2019-3795 spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: chazlett, eglynn, gmalinko, janstey, jjoyce, jpretori, jschluet, lhh, lpeer, mburns, mgarciac, mkolesni, pdelbell, rstepani, sclewis, scohen, slinaber
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: spring-security-core 4.2.12, spring-security-core 5.0.12, spring-security-core 5.1.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:27:33 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1696617    

Description Marian Rehak 2019-04-05 09:30:05 UTC 
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

References:

https://pivotal.io/security/cve-2019-3795
Comment 1 Joshua Padman 2019-04-08 10:51:32 UTC 
Red Hat OpenStack's OpenDaylight contains the vulnerable code. However, the vulnerability is not exploitable given the way the library is used within OpenDaylight. OpenDaylight was technical preview prior to OpenStack 13 and will be deprecated in OpenStack 14.
Comment 3 Summer Long 2019-04-09 23:46:44 UTC 
Statement:

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.
Comment 4 Joshua Padman 2019-05-15 23:03:46 UTC 
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.