CVE-2019-3795 Spring Security insecure randomness vulnerabilityIssue date: 01-07-2019
Affects versions: 13.1, 13.0, 12.6
Issue ID: SECURITY-106
Affected Product Version(s)
12.6.2, 13.0.1, 13.1.0 (and previous patch releases)
Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
This vulnerability is classified with severity medium. Although default usage of this library within the Bloomreach Experience Manager product is not vulnerable, project specific usages of this third-party code within a customer project may be vulnerable.
The affected third-party library has been updated to the latest compatible version available. For 12.6.3, this is Spring Security 4.2.12. For 13.0.2 and above, this is Spring Security 5.1.5.
Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.