检测 JHipster Generator 漏洞 CVE-2019-16303¶
ID: java/jhipster-prng
Kind: problem
Security severity: 7.8
Severity: error
Precision: very-high
Tags:
- security
- external/cwe/cwe-338
Query suites:
- java-code-scanning.qls
- java-security-extended.qls
- java-security-and-quality.qls
此查询检测由容易受到 CVE-2019-16303 影响的 JHipster 版本生成的 RandomUtil.java 实例。
如果应用程序使用由容易受到 JHipster 影响的版本生成的 RandomUtil.java,攻击者可以请求密码重置令牌并使用它来预测此服务器生成的未来重置令牌的值。利用此信息,他们可以创建一个重置链接,让他们接管任何帐户。
此漏洞的 CVSS v3.0 基本分数为 9.8/10。
示例¶
以下示例展示了 6.3.0 版之前的 JHipster 生成的容易受到攻击的 RandomUtil 类。
import org.apache.commons.lang3.RandomStringUtils;
/**
* Utility class for generating random Strings.
*/
public final class RandomUtil {
private static final int DEF_COUNT = 20;
private RandomUtil() {
}
/**
* Generate a password.
*
* @return the generated password.
*/
public static String generatePassword() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom
}
/**
* Generate an activation key.
*
* @return the generated activation key.
*/
public static String generateActivationKey() {
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom
}
/**
* Generate a reset key.
*
* @return the generated reset key.
*/
public static String generateResetKey() {
return RandomStringUtils.randomNumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom
}
/**
* Generate a unique series to validate a persistent token, used in the
* authentication remember-me mechanism.
*
* @return the generated series data.
*/
public static String generateSeriesData() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom
}
/**
* Generate a persistent token, used in the authentication remember-me mechanism.
*
* @return the generated token data.
*/
public static String generateTokenData() {
return RandomStringUtils.randomAlphanumeric(DEF_COUNT); // BAD: RandomStringUtils does not use SecureRandom
}
}
以下是 RandomUtil 类的已修复版本。
import org.apache.commons.lang3.RandomStringUtils;
import java.security.SecureRandom;
/**
* Utility class for generating random Strings.
*/
public final class RandomUtil {
private static final SecureRandom SECURE_RANDOM = new SecureRandom(); // GOOD: Using SecureRandom
private static final int DEF_COUNT = 20;
static {
SECURE_RANDOM.nextBytes(new byte[64]);
}
private RandomUtil() {
}
private static String generateRandomAlphanumericString() {
// GOOD: Passing Secure Random to RandomStringUtils::random
return RandomStringUtils.random(DEF_COUNT, 0, 0, true, true, null, SECURE_RANDOM);
}
/**
* Generate a password.
*
* @return the generated password.
*/
public static String generatePassword() {
return generateRandomAlphanumericString();
}
/**
* Generate an activation key.
*
* @return the generated activation key.
*/
public static String generateActivationKey() {
return generateRandomAlphanumericString();
}
/**
* Generate a reset key.
*
* @return the generated reset key.
*/
public static String generateResetKey() {
return generateRandomAlphanumericString();
}
/**
* Generate a unique series to validate a persistent token, used in the
* authentication remember-me mechanism.
*
* @return the generated series data.
*/
public static String generateSeriesData() {
return generateRandomAlphanumericString();
}
/**
* Generate a persistent token, used in the authentication remember-me mechanism.
*
* @return the generated token data.
*/
public static String generateTokenData() {
return generateRandomAlphanumericString();
}
}
建议¶
您应该重构 RandomUtil 类并替换对 RandomStringUtils.randomAlphaNumeric 的每次调用。您可以使用最新版本的 JHipster 重新生成此类,或使用自动重构。例如,使用 针对 Rewrite 项目 修补 JHipster CWE-338。
参考¶
Cloudflare 博客:为什么安全系统需要随机数
Hacker News:我是如何入侵 Hacker News 的(附 arc 安全建议)
Pucara 信息安全团队的文章:Java 占卜师:不安全随机性的实际应用。(包括免费 0day)
常见弱点枚举:CWE-338。