CVE-2019-3795: Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security
Spring by Pivotal
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
Severity is low unless otherwise noted.
- Spring Security 4.2 to 4.2.11
- Spring Security 5.0 to 5.0.11
- Spring Security 5.1 to 5.1.4
Users of affected versions should apply the following mitigation:
- 4.2.x users should upgrade to 4.2.12
- 5.0.x users should upgrade to 5.0.12
- 5.1.x users should upgrade to 5.1.5
This issue was identified and responsibly reported by Thijs Alkemade.
2019-04-02: Initial vulnerability report published.