CVE-2019-3795
Insecure Randomness vulnerability in spring-security-core (Maven)
What is CVE-2019-3795 About?
This vulnerability is an insecure randomness issue in Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 when using `SecureRandomFactoryBean#setSeed`. It allows attackers to potentially predict random values if the seed is known and the random material is exposed. Exploitation requires specific conditions where the seed is predictable and the output is observable.
Affected Software
- org.springframework.security:spring-security-core
- >5.0.0, <5.0.12
- >5.1.0, <5.1.5
- >4.2.0, <4.2.12
Technical Details
Spring Security versions 4.2.x (before 4.2.12), 5.0.x (before 5.0.12), and 5.1.x (before 5.1.5) are affected by an insecure randomness vulnerability when an application uses SecureRandomFactoryBean and explicitly calls its setSeed method with a predictable or known seed value. If an application provides a deterministic or insufficiently random seed to SecureRandomFactoryBean#setSeed and subsequently uses the generated 'random' material (e.g., for session IDs, tokens, or cryptographic keys) in a way that allows an attacker to observe or inspect it, the attacker could deduce the internal state of the SecureRandom instance. This predictability undermines the security guarantees of features relying on randomness, such as authentication tokens or encryption keys, making them susceptible to brute-force or guessing attacks.
What is the Impact of CVE-2019-3795?
Successful exploitation may allow attackers to predict sensitive values like session tokens or cryptographic keys, bypass security controls, and impersonate users or gain unauthorized access.
What is the Exploitability of CVE-2019-3795?
Exploitation of this vulnerability is of high complexity, as it requires a very specific set of conditions: the application must explicitly call SecureRandomFactoryBean#setSeed with an insecurely generated or predictable seed, and the 'random' output must be observable by an attacker. No specific authentication or privilege is usually required for the attacker to observe the outputs, but the setup of the application is crucial. This can be a remote vulnerability if the 'random' outputs are transmitted over the network and observable. A special condition is the setSeed method being used with a non-secure seed. Risk factors increase significantly if an application is deployed with a hardcoded or easily guessable seed, and cryptographic outputs are publicly exposed.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2019-3795?
Available Upgrade Options
- org.springframework.security:spring-security-core
- >4.2.0, <4.2.12 → Upgrade to 4.2.12
- org.springframework.security:spring-security-core
- >5.0.0, <5.0.12 → Upgrade to 5.0.12
- org.springframework.security:spring-security-core
- >5.1.0, <5.1.5 → Upgrade to 5.1.5
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/advisories/GHSA-v2r2-7qm7-jj6v
- https://pivotal.io/security/cve-2019-3795
- http://www.securityfocus.com/bid/107802
- http://www.securityfocus.com/bid/107802
- https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html
- https://pivotal.io/security/cve-2019-3795
- https://osv.dev/vulnerability/GHSA-v2r2-7qm7-jj6v
- https://nvd.nist.gov/vuln/detail/CVE-2019-3795
- https://lists.debian.org/debian-lts-announce/2019/05/msg00026.html
What are Similar Vulnerabilities to CVE-2019-3795?
Similar Vulnerabilities: CVE-2020-5398 , CVE-2022-31627 , CVE-2022-31628 , CVE-2022-22971 , CVE-2023-34034
