{
  "threat_severity" : "Low",
  "public_date" : "2019-04-02T00:00:00Z",
  "bugzilla" : {
    "description" : "spring-security-core: Insecure randomness when using a secureRandom instance constructed by Spring Security",
    "id" : "1696616",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1696616"
  },
  "cvss3" : {
    "cvss3_base_score" : "3.3",
    "cvss3_scoring_vector" : "CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N",
    "status" : "draft"
  },
  "cwe" : "CWE-330",
  "details" : [ "Spring Security versions 4.2.x prior to 4.2.12, 5.0.x prior to 5.0.12, and 5.1.x prior to 5.1.5 contain an insecure randomness vulnerability when using SecureRandomFactoryBean#setSeed to configure a SecureRandom instance. In order to be impacted, an honest application must provide a seed and make the resulting random material available to an attacker for inspection." ],
  "statement" : "Red Hat OpenStack Platform's OpenDaylight versions 9 and 10 contain the vulnerable code. However, these OpenDaylight versions were released as technical preview with limited support and will therefore not be updated. Other OpenDaylight versions do not contain the vulnerable library.",
  "package_state" : [ {
    "product_name" : "Red Hat Fuse 7",
    "fix_state" : "Fix deferred",
    "package_name" : "spring-security-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:7"
  }, {
    "product_name" : "Red Hat JBoss Fuse 6",
    "fix_state" : "Out of support scope",
    "package_name" : "spring-security-core",
    "cpe" : "cpe:/a:redhat:jboss_fuse:6"
  }, {
    "product_name" : "Red Hat OpenStack Platform 10 (Newton)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:10"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 14 (Rocky)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:14"
  }, {
    "product_name" : "Red Hat OpenStack Platform 8 (Liberty)",
    "fix_state" : "Not affected",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:8"
  }, {
    "product_name" : "Red Hat OpenStack Platform 9 (Mitaka)",
    "fix_state" : "Will not fix",
    "package_name" : "opendaylight",
    "cpe" : "cpe:/a:redhat:openstack:9"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2019-3795\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-3795" ],
  "name" : "CVE-2019-3795",
  "csaw" : false
}