CVE-2019-3795 Spring Security insecure randomness vulnerability - BloomReach Experience - Open Source CMS

CVE-2019-3795 Spring Security insecure randomness vulnerability 

Issue date: 01-07-2019
Affects versions: 13.1, 13.0, 12.6

Issue ID: SECURITY-106

 

Affected Product Version(s)
12.6.2, 13.0.1, 13.1.0 (and previous patch releases)


Severity 

Medium


Description

CVE-2019-3795

Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.

This vulnerability is classified with severity medium. Although default usage of this library within the Bloomreach Experience Manager product is not vulnerable, project specific usages of this third-party code within a customer project may be vulnerable.

The affected third-party library has been updated to the latest compatible version available. For 12.6.3, this is Spring Security 4.2.12. For 13.0.2 and above, this is Spring Security 5.1.5.

 

Instructions

Every customer is strongly advised to upgrade as soon as possible to the latest maintenance release as indicated above, or higher. This can be done by simply incrementing the version number of the parent POM for the implementation project.