Vulnerability Name:

CVE-2019-3795 (CCN-159543)

Assigned:2019-04-02
Published:2019-04-02
Updated:2021-11-02
Summary:Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection.
CVSS v3 Severity:5.3 Medium (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
4.6 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): Low
Integrity (I): None
Availibility (A): None
6.5 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N)
5.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): High
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): High
Integrity (I): Low
Availibility (A): None
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:P/I:N/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Partial
Integrity (I): None
Availibility (A): None
6.1 Medium (CCN CVSS v2 Vector: AV:N/AC:H/Au:N/C:C/I:P/A:N)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): High
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Partial
Availibility (A): None
Vulnerability Type:CWE-330
Vulnerability Consequences:Gain Access
References:Source: MITRE
Type: CNA
CVE-2019-3795

Source: BID
Type: Third Party Advisory, VDB Entry
107802

Source: XF
Type: UNKNOWN
pivotal-cve20193795-weak-security(159543)

Source: MLIST
Type: Mailing List, Third Party Advisory
[debian-lts-announce] 20190520 [SECURITY] [DLA 1794-1] libspring-security-2.0-java security update

Source: CCN
Type: Pivotal Web site
CVE-2019-3795: Insecure Randomness When Using a SecureRandom Instance Constructed by Spring Security

Source: CONFIRM
Type: Vendor Advisory
https://pivotal.io/security/cve-2019-3795

Source: CCN
Type: IBM Security Bulletin 6320835 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6403331 (Security Guardium Data Encryption)
Multiple Vulnerabilities in IBM Guardium Data Encryption (GDE)

Source: CCN
Type: IBM Security Bulletin 6572511 (Sterling B2B Integrator)
IBM Sterling B2B Integrator vulnerable to multiple vulnerabilities due to Spring Security

Source: CCN
Type: IBM Security Bulletin 6841803 (Cognos Controller)
IBM Cognos Controller has addressed multiple vulnerabilities

Vulnerable Configuration:Configuration 1:
  • cpe:/a:vmware:spring_security:*:*:*:*:*:*:*:* (Version >= 5.0.0 and < 5.0.12)
  • OR cpe:/a:vmware:spring_security:*:*:*:*:*:*:*:* (Version >= 4.2.0 and < 4.2.12)
  • OR cpe:/a:vmware:spring_security:*:*:*:*:*:*:*:* (Version >= 5.1.0 and < 5.1.5)

    • Configuration 2:
  • cpe:/o:debian:debian_linux:8.0:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:ibm:sterling_b2b_integrator:6.0.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:security_guardium_data_encryption:3.0.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cognos_controller:10.4.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.1.0.0:*:*:*:standard:*:*:*
  • OR cpe:/a:ibm:sterling_b2b_integrator:6.0.3.5:*:*:*:standard:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:com.ubuntu.trusty:def:20193795000
    V
    		CVE-2019-3795 on Ubuntu 14.04 LTS (trusty) - low.
    2019-04-09
    BACK
    vmware spring security *
    vmware spring security *
    vmware spring security *
    debian debian linux 8.0
    ibm sterling b2b integrator 6.0.0.0
    ibm cognos controller 10.4.0
    ibm cognos controller 10.4.1
    ibm security guardium data encryption 3.0.0.2
    ibm cognos controller 10.4.2
    ibm sterling b2b integrator 6.1.0.0
    ibm sterling b2b integrator 6.0.3.5