Main Vulnerability Database SB2019092409

SB2019092409 - Weak pseudo-random number generator in Apereo CAS

Published: September 24, 2019

Security Bulletin ID SB2019092409

Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Data manipulation

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 security vulnerability.

1) Use of cryptographically weak pseudo-random number generator (PRNG) (CVE-ID: CVE-2019-10754)

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to the application generates tokens using a weak cryptographic algorithm provided by Apache commons-lang3 RandomStringUtils. A remote attacker can guess randomly generate tokens and bypass security restriction that rely on these tokens.

Remediation

Install update from vendor's website.

References

https://github.com/alex91ar/randomstringutils
https://github.com/apereo/cas/commit/40bf278e66786544411c471de5123e7a71826b9f
https://medium.com/@alex91ar/the-java-soothsayer-a-practical-application-for-insecure-randomness-c67...