CVE-2019-3795 Spring Security insecure randomness vulnerability

Issue date: 01-07-2019
Affects versions: 13.1, 13.0, 12.6

Issue ID: SECURITY-106

Affected Product Version(s)
12.6.2, 13.0.1, 13.1.0 (and previous patch releases)

Severity

Medium

Description

CVE-2019-3795

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

This vulnerability is classified with severity medium. Although default usage of this library within the Bloomreach Experience Manager product is not vulnerable, project specific usages of this third-party code within a customer project may be vulnerable.

The affected third-party library has been updated to the latest compatible version available. For 12.6.3, this is Spring Security 4.2.12. For 13.0.2 and above, this is Spring Security 5.1.5.

Instructions

Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.

Content Application

Channels

Projects

Relevance

Architecture

Concepts

Platform Configuration

Frontend Integration

Backend Development

Commerce Accelerator

Cloud Deployment (PaaS)

On-Premise Deployment

Security

Release Management

Platform Development

Bloomreach Documentation version

CVE-2019-3795 Spring Security insecure randomness vulnerability