Detect JHipster Generator Vulnerability CVE-2019-16303¶
ID: java/jhipster-prngKind: problemSecurity severity: 7.8Severity: errorPrecision: very-highTags: - security - external/cwe/cwe-338Query suites: - java-code-scanning.qls - java-security-extended.qls - java-security-and-quality.qls
Click to see the query in the CodeQL repository
This query detects instances ofRandomUtil.java that were generated by aJHipster version that is vulnerable toCVE-2019-16303.
If an app usesRandomUtil.java generated by a vulnerable version of JHipster, attackers can request a password reset token and use this to predict the value of future reset tokens generated by this server. Using this information, they can create a reset link that allows them to take over any account.
This vulnerability has a CVSS v3.0 Base Score of 9.8/10.
Example¶
The example below shows the vulnerableRandomUtil class generated byJHipster prior to version 6.3.0.
importorg.apache.commons.lang3.RandomStringUtils;/** * Utility class for generating random Strings. */publicfinalclassRandomUtil{privatestaticfinalintDEF_COUNT=20;privateRandomUtil(){}/** * Generate a password. * * @return the generated password. */publicstaticStringgeneratePassword(){returnRandomStringUtils.randomAlphanumeric(DEF_COUNT);// BAD: RandomStringUtils does not use SecureRandom}/** * Generate an activation key. * * @return the generated activation key. */publicstaticStringgenerateActivationKey(){returnRandomStringUtils.randomNumeric(DEF_COUNT);// BAD: RandomStringUtils does not use SecureRandom}/** * Generate a reset key. * * @return the generated reset key. */publicstaticStringgenerateResetKey(){returnRandomStringUtils.randomNumeric(DEF_COUNT);// BAD: RandomStringUtils does not use SecureRandom}/** * Generate a unique series to validate a persistent token, used in the * authentication remember-me mechanism. * * @return the generated series data. */publicstaticStringgenerateSeriesData(){returnRandomStringUtils.randomAlphanumeric(DEF_COUNT);// BAD: RandomStringUtils does not use SecureRandom}/** * Generate a persistent token, used in the authentication remember-me mechanism. * * @return the generated token data. */publicstaticStringgenerateTokenData(){returnRandomStringUtils.randomAlphanumeric(DEF_COUNT);// BAD: RandomStringUtils does not use SecureRandom}}
Below is a fixed version of theRandomUtil class.
importorg.apache.commons.lang3.RandomStringUtils;importjava.security.SecureRandom;/** * Utility class for generating random Strings. */publicfinalclassRandomUtil{privatestaticfinalSecureRandomSECURE_RANDOM=newSecureRandom();// GOOD: Using SecureRandomprivatestaticfinalintDEF_COUNT=20;static{SECURE_RANDOM.nextBytes(newbyte[64]);}privateRandomUtil(){}privatestaticStringgenerateRandomAlphanumericString(){// GOOD: Passing Secure Random to RandomStringUtils::randomreturnRandomStringUtils.random(DEF_COUNT,0,0,true,true,null,SECURE_RANDOM);}/** * Generate a password. * * @return the generated password. */publicstaticStringgeneratePassword(){returngenerateRandomAlphanumericString();}/** * Generate an activation key. * * @return the generated activation key. */publicstaticStringgenerateActivationKey(){returngenerateRandomAlphanumericString();}/** * Generate a reset key. * * @return the generated reset key. */publicstaticStringgenerateResetKey(){returngenerateRandomAlphanumericString();}/** * Generate a unique series to validate a persistent token, used in the * authentication remember-me mechanism. * * @return the generated series data. */publicstaticStringgenerateSeriesData(){returngenerateRandomAlphanumericString();}/** * Generate a persistent token, used in the authentication remember-me mechanism. * * @return the generated token data. */publicstaticStringgenerateTokenData(){returngenerateRandomAlphanumericString();}}
Recommendation¶
You should refactor theRandomUtil class and replace every call toRandomStringUtils.randomAlphaNumeric. You could regenerate the class using the latest version of JHipster, or use an automated refactoring. For example, using thePatching JHipster CWE-338 for theRewrite project.
References¶
Cloudflare Blog: Why secure systems require random numbers
Hacker News: How I Hacked Hacker News (with arc security advisory)
Posts by Pucara Information Security Team: The Java Soothsayer: A practical application for insecure randomness. (Includes free 0day)
Common Weakness Enumeration:CWE-338.