John Leyden23 September 2020 at 11:27 UTC Updated: 24 September 2020 at 13:10 UTC <\/p>\n
Nearly 4,000 pull requests were issued to fix dependant projects<\/p>\n<\/p>\n
UPDATED Security researchers have run a successfully exercise to refactor apps that inherited a cryptographic flaw from a vulnerable code generator, JHipster.<\/p>\n
Both JHipster and JHipster Kotlin were updated in late June to break their reliance on a weak pseudo-random number generator (PRNG).<\/p>\n
The vulnerability meant that an attacker who had obtained a password reset token from a JHipster or JHipster Kotlin generated service would be able to correctly predict future password reset tokens.<\/p>\n
This made it possible for an unauthorized third party to request an administrators password reset token in order to take over a privileged account.<\/p>\n
Web applications and microservices built using vulnerable version of either JHipster or JHipster Kotlin were not themselves fixed even after the code generating utilities were updated to fixed versions - JHipster 6.3.0 and JHipster Kotlin 1.2.0, respectively.<\/p>\n
Software engineer Jonathan Leitschuh estimated in early July that there were as many as 14,600 instances of vulnerable applications generated using vulnerable builds of JHipster on GitHub.<\/p>\n
BACKGROUND App generator tool JHipster Kotlin fixes fundamental cryptographic bug<\/p>\n
Over the course of 16 hours, 3,880 pull requests were issued to fix instances of CVE-2019-16303, the PRNG vulnerability in the JHipster code generator.<\/p>\n
The same underlying vulnerability also affected apps made using JHipster Kotlin.<\/p>\n
The root cause of the problem in the case of both JHipster and JHipster Kotlin was reliance on Apache Commons Lang 3 RandomStringUtils to handle PRNGs.<\/p>\n
The JHipster app patching exercise, supported by GitHub Security Lab, relied on a code refactoring tool developed by Jon Schneider of source code transformation startup Moderne.<\/p>\n
Leitschuh told The Daily Swig: We plan to do this sort of thing again in the future with other vulnerabilities, but hopefully ones that are more complex and less cookie cutter.<\/p>\n
JHipster is an open source package thats used to generate web applications and microservices. JHipster Kotlin performs the same functions to generate apps that are compatible with Kotlin, a modern cross-platform programming language.<\/p>\n
This story has been updated and revised to reflect that the refactoring exercise focused on JHipster-generated apps and not JHipster, as first and inaccurately reported.<\/p>\n
RECOMMENDED Critical XSS vulnerability in Instagrams Spark AR nets 14-year-old researcher $25,000<\/p>\n
<\/p>\n