[SECURITY] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil #1
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This fixes a security vulnerability in this project where the `RandomUtil.java` file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for security sensitive data. Signed-off-by: Jonathan Leitschuh <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a security fix for a vulnerability in your JHipster generated
RandomUtil.javafile(s).Technical Impact
Using one password reset token from your app combined with the POC below, an attacker can determine all future password reset tokens to be generated by this server. This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.
Tell Me More!
A version of JHipster Generator that was vulnerable to CVE-2019-16303 was used to generate this project.
This version of JHipster generated code using an insecure source of randomness in security sensitive locations.
This class of vulnerability is better known as CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).
This vulnerability has a CVSS v3.0 Base Score of 9.8/10.
POC code has existed since March 3rd, 2018 for taking one RNG value generated by
RandomStringUtilsand reversing it to generate all of the past/future RNG values.This contribution is a part of a submission to the GitHub Security Lab Bug Bounty program.
Detecting this and Future Vulnerabilities
LGTM.com was used to automatically detect this vulnerability using a custom CodeQL query.
As of September 2019 LGTM.com and Semmle are officially a part of GitHub.
You can automatically detect future vulnerabilities like this by enabling the free (for open-source) LGTM App.
I'm not an employee of GitHub nor of Semmle, I'm simply a user of LGTM.com and an open-source security researcher.
Source
Yes, this contribution was automatically generated, however, the code to generate this PR was lovingly hand crafted to bring this security fix to your repository.
The source code that generated and submitted this PR can be found here:
JLLeitschuh/bulk-security-pr-generator
The fix was generated for each vulnerable file, preserving the original style of the file, by the Rewrite project. See the specific code for this fix here.
Opting-Out
If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called
.github/GH-ROBOTS.txtto your repository with the line:This bot will respect the ROBOTS.txt format for future contributions.
Alternatively, if this project is no longer actively maintained, consider archiving the repository.
CLA Requirements
This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.
It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.
If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.
Tracking
All PR's generated as part of this fix are tracked here:
JLLeitschuh/bulk-security-pr-generator#5