Security researchers resolve crypto flaws in JHipster apps – The Daily Swig

Posted on by

John Leyden23 September 2020 at 11:27 UTC Updated: 24 September 2020 at 13:10 UTC

Nearly 4,000 pull requests were issued to fix dependant projects

UPDATED Security researchers have run a successfully exercise to refactor apps that inherited a cryptographic flaw from a vulnerable code generator, JHipster.

Both JHipster and JHipster Kotlin were updated in late June to break their reliance on a weak pseudo-random number generator (PRNG).

The vulnerability meant that an attacker who had obtained a password reset token from a JHipster or JHipster Kotlin generated service would be able to correctly predict future password reset tokens.

This made it possible for an unauthorized third party to request an administrators password reset token in order to take over a privileged account.

Web applications and microservices built using vulnerable version of either JHipster or JHipster Kotlin were not themselves fixed even after the code generating utilities were updated to fixed versions - JHipster 6.3.0 and JHipster Kotlin 1.2.0, respectively.

Software engineer Jonathan Leitschuh estimated in early July that there were as many as 14,600 instances of vulnerable applications generated using vulnerable builds of JHipster on GitHub.

BACKGROUND App generator tool JHipster Kotlin fixes fundamental cryptographic bug

Over the course of 16 hours, 3,880 pull requests were issued to fix instances of CVE-2019-16303, the PRNG vulnerability in the JHipster code generator.

The same underlying vulnerability also affected apps made using JHipster Kotlin.

The root cause of the problem in the case of both JHipster and JHipster Kotlin was reliance on Apache Commons Lang 3 RandomStringUtils to handle PRNGs.

The JHipster app patching exercise, supported by GitHub Security Lab, relied on a code refactoring tool developed by Jon Schneider of source code transformation startup Moderne.

Leitschuh told The Daily Swig: We plan to do this sort of thing again in the future with other vulnerabilities, but hopefully ones that are more complex and less cookie cutter.

JHipster is an open source package thats used to generate web applications and microservices. JHipster Kotlin performs the same functions to generate apps that are compatible with Kotlin, a modern cross-platform programming language.

This story has been updated and revised to reflect that the refactoring exercise focused on JHipster-generated apps and not JHipster, as first and inaccurately reported.

RECOMMENDED Critical XSS vulnerability in Instagrams Spark AR nets 14-year-old researcher $25,000

Continued here:
Security researchers resolve crypto flaws in JHipster apps - The Daily Swig

Related Posts
This entry was posted in $1$s. Bookmark the permalink.