Bug 1696616 (CVE-2019-3795) - CVE-2019-3795 spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security
Summary: CVE-2019-3795 spring-security-core: Insecure randomness when using a secureRa...
Alias: CVE-2019-3795
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On:
Blocks: 1696617
TreeView+ depends on / blocked
Reported: 2019-04-05 09:30 UTC by Marian Rehak
Modified: 2021-10-27 03:27 UTC (History)
10 users (show)

Fixed In Version: spring-security-core 4.2.12, spring-security-core 5.0.12, spring-security-core 5.1.5
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:27:33 UTC

Attachments (Terms of Use)

Description Marian Rehak 2019-04-05 09:30:05 UTC
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.



Comment 1 Joshua Padman 2019-04-08 10:51:32 UTC
Red Hat OpenStack's OpenDaylight contains the vulnerable code. However, the vulnerability is not exploitable given the way the library is used within OpenDaylight. OpenDaylight was technical preview prior to OpenStack 13 and will be deprecated in OpenStack 14.

Comment 3 Summer Long 2019-04-09 23:46:44 UTC

Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.

Comment 4 Joshua Padman 2019-05-15 23:03:46 UTC
This vulnerability is out of security support scope for the following product:
 * Red Hat JBoss Fuse 6

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Note You need to log in before you can comment on or make changes to this bug.