Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[SECURITY] CVE-2019-16303 - JHipster Vulnerability Fix - Use CSPRNG in RandomUtil #1

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

JLLeitschuh
Copy link


This is a security fix for a vulnerability in your JHipster generated RandomUtil.java file(s).

Technical Impact

Using one password reset token from your app combined with the POC below, an attacker can determine all future password reset tokens to be generated by this server. This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts.

Tell Me More!

A version of JHipster Generator that was vulnerable to CVE-2019-16303 was used to generate this project.
This version of JHipster generated code using an insecure source of randomness in security sensitive locations.

This class of vulnerability is better known as CWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG).

This vulnerability has a CVSS v3.0 Base Score of 9.8/10.

POC code has existed since March 3rd, 2018 for taking one RNG value generated by RandomStringUtils and reversing it to generate all of the past/future RNG values.

This contribution is a part of a submission to the GitHub Security Lab Bug Bounty program.

Detecting this and Future Vulnerabilities

LGTM.com was used to automatically detect this vulnerability using a custom CodeQL query.

As of September 2019 LGTM.com and Semmle are officially a part of GitHub.

You can automatically detect future vulnerabilities like this by enabling the free (for open-source) LGTM App.

I'm not an employee of GitHub nor of Semmle, I'm simply a user of LGTM.com and an open-source security researcher.

Source

Yes, this contribution was automatically generated, however, the code to generate this PR was lovingly hand crafted to bring this security fix to your repository.

The source code that generated and submitted this PR can be found here:
JLLeitschuh/bulk-security-pr-generator

The fix was generated for each vulnerable file, preserving the original style of the file, by the Rewrite project. See the specific code for this fix here.

Opting-Out

If you'd like to opt-out of future automated security vulnerability fixes like this, please consider adding a file called
.github/GH-ROBOTS.txt to your repository with the line:

User-agent: JLLeitschuh/bulk-security-pr-generator
Disallow: *

This bot will respect the ROBOTS.txt format for future contributions.

Alternatively, if this project is no longer actively maintained, consider archiving the repository.

CLA Requirements

This section is only relevant if your project requires contributors to sign a Contributor License Agreement (CLA) for external contributions.

It is unlikely that I'll be able to directly sign CLAs. However, all contributed commits are already automatically signed-off.

The meaning of a signoff depends on the project, but it typically certifies that committer has the rights to submit this work under the same license and agrees to a Developer Certificate of Origin
(see https://developercertificate.org/ for more information).

- Git Commit Signoff documentation

If signing your organization's CLA is a strict-requirement for merging this contribution, please feel free to close this PR.

Tracking

All PR's generated as part of this fix are tracked here:
JLLeitschuh/bulk-security-pr-generator#5

This fixes a security vulnerability in this project where the `RandomUtil.java`
file(s) were using an insecure Pseudo Random Number Generator (PRNG) instead of
a Cryptographically Secure Pseudo Random Number Generator (CSPRNG) for
security sensitive data.

Signed-off-by: Jonathan Leitschuh <[email protected]>
@CLAassistant
Copy link

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants