-
-
Notifications
You must be signed in to change notification settings - Fork 4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug bounty for security advisory - thank you @JLLeitschuh #10401
Comments
Wow! Thank you! This is incredibly kind of you guys! |
You are welcome! Thanks for your advice! If you have any questions regarding the bounty process don't hesitate to ask 👍 |
@jdubois You should have finished filling out that disclosure form before submitting it. The disclosure in it's current format, unfortunately, isn't that useful to anyone. Plus there currently any CVE numbers issued for this vulnerability. I will be moving forward with the CVE number request. Here is the full disclosure of this vulnerabilityCWE-338: Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)JHipster is using an insecure source of randomness to generate all of it's random values. JHipster relies upon apache commons lang3 From the documentation:
Here are the examples of JHipster's use of an insecure PRNG: Lines 33 to 78 in 5c0c2fc
Proof Of Concepts Already ExistThere has been a POC of taking one RNG value generated POC Repository: https://github.com/alex91ar/randomstringutils Potential Impact TechnicalAll that is required is to get one password reset token from a JHipster generated service and using the POC above, you can reverse what all future password reset tokens to be generated by this server. This allows an attacker to pick and choose what account they would like to takeover by sending account password reset requests for targeted accounts. Potential Impact ScaleYou have a lot of companies using JHipster: You have ~15k projects that all contain the You have 26k projects using your project according to GitHub's dependency insights: The release notes are here: https://www.jhipster.tech/2019/09/13/jhipster-release-6.3.0.html |
I'm sorry @JLLeitschuh which form are you talking about? |
@jdubois The form that generated this advisory: You had to expand the advisory to fill in the forms to generate it. Also, you should have filed for a CVE before disclosure of this vulnerability. I'm working on getting that issued right now. |
Oh I totally missed you could click on the title!!! I thought it was just some fancy formatting! |
@jdubois Can you please contact GitHub support to get a fully written up public disclosure replaced with the current contents? I will get the CVE number for that disclosure. |
Oh I missed this link too!!! I'm lost here. Is this just me?? I'll contact Github support, but probably after the weekend. |
@jdubois This is time-sensitive. This vulnerability is now public and the full details are now publicly disclosed & is trivial to exploit. We need to move more quickly than waiting till Monday to alert the public. Please contact (or have someone from your team) ASAP. |
The full attack scenario is detailed as follows:
This attack scenario is completely valid and would work against anyone with these servers deployed today. |
I agree, but the fix has been published, as well as a clear explanation at the top of the release notes, explaining what to do. |
We also have dependabot sending patches, which seem to have the correct information. |
A CVE number has been requested. I'll follow up when MITRE has gotten back to me. |
@jdubois Can you prioritize getting this fixed as well? |
@rschultheis could you help us here? I published the security advisory without filling it up, and now it's read-only. Could we edit it? |
@jdubois Expense submitted: Thank you very much for the bounty! I really appreciate it! $500 more towards my college loans. 😄 |
CVE has been assigned. (The link will be live shortly): https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16303 |
Ok, as far as I understand, the only issue we have is the text of the advisory which is wrong - that's my fault and I hope we can edit it. Thanks a lot @JLLeitschuh ! |
@jhipster/developers can someone with merge rights take a look at jhipster kotlin? |
Bounty just approuved. Thanks a lot @JLLeitschuh for your help ! @atomfrede : I'm having a look |
@atomfrede : same question here, can this ticket be closed or is it not finished yet ? |
Unfortunately we haven't been able to update the vulnerability report - I'm hoping we can get help from @rschultheis so let's keep this opened a few days, and close it if we have no solution. |
@jdubois Your organization has an email address for every single company that has publicly stated that they are using JHipster as indicated by your form. I advise that you take advantage of having this list of contacts and reach out to them directly about this vulnerability so that they can get this issue patched. As an aside: if any of these companies have their own BB programs you can tell them I accept donations to my PayPal account at |
Indeed, I also have the emails of more than 30,000 users who registered to https://start.jhipster.tech Then, none of those persons have given us the right to mass-email them, even for their own good, so I'm not sure what is the right thing to do here |
I have a friend with some legal experience in this space that I've reached out to for their opinion on this. You could also try asking the EFF. |
👋 @jdubois
Sorry just getting caught up with some notifications, and we can defnitely do something to help here. I did indeed notice that advisory get submitted with the default template. I the UI there is a bit confusing and we are taking a look at how to make this problem harder to happen. But more importantly, our product doesn't offer update yet! I'll discuss with the team, is there a preferred Our GitHub security advisory is currently published with this as the description:
|
Thanks a lot @rschultheis !!
|
OK @jdubois I've updated the advisory with description I proposed, as well as additional meta data like the CVE ID. Let me know what you think! I am more than happy to make additional changes to the description if you would like! Also, we clearly need to support updating advisories after publish, thanks for pinging me on this issue here! |
@jdubois : If I may chip in with a minor suggestion; I noticed that the security policy has your email address. I would suggest maybe add an address which goes to all the team leads? Just had this thought, since this way if you aren't available someone else can look into it. 😄 |
Also, consider moving your security policy to a |
It's already created : https://github.com/jhipster/.github |
Thanks everyone for the help!!!
|
Related to my comment here, I noticed the release notes (and the advisory tweet) state that you are only affected if you use JWT, but doesn't this also affect Session and UAA auth types? They both use RandomUtil for generating reset tokens. |
@ruddell These components are also impacted and vulnerable. |
Oh that's an awesome catch @ruddell - I feel ashamed by this, especially as I coded the session authentication, so I should be the best to know!! So yes, those are also vulnerable: I can update the release notes, and warn people in tomorrow's release. It's a bit strange because this is already fixed, but that's probably the only solution. |
@jdubois RE: Emailing discussed above 👆 #10401 (comment) The advice from US CERT was basically, they are not lawyers and so they can't provide legal advice. That being said:
I think from an ethical point of view, it's the right thing to do and you should send out an email disclosing this vulnerability to all potentially impacted parties. If you move forward with this though, please make sure that you BCC your email so that everyone can't see everyone else's address. You may want to reach out to Microsoft's security team for assistance on this one. |
Thanks @JLLeitschuh I'll have a look at what we can do - I have no mass email solution to send emails to 30,000 people. Our contact channel as always been Twitter - I know it's not perfect, but that's easy and free. |
@jdubois : Seems like you guys already use Google groups; which means you should have a Google Admin account. Suggestion; you could probably leverage this and create a custom Google group with invite only access to external members with appropriate access privileges and roles. 😄 |
@SudharakaP oh yes but it's really a mess. The UI sucks, it's awful to manage (I'm going to use it today again, I never know where to click). Also, I need to check how this works: in fact I realize this shouldn't be a mailing list, it's more an annoucement list. People shouldn't be able to send mails to each other, otherwise it's going to be a mess. |
@jdubois : Yes I agree, the UI is not quite obvious. 😄 But I think this fits the bill if you could get the permissions set up correctly. No they cannot see or reply to the whole list; notice there's a setting on the following page; called "Post Replies". I haven't tested this though; you probably need to run some tests. 😄 |
@jdubois : So I've went ahead and tested this out for you. Here are the preliminary steps. With these each user will receive emails when you post to the distribution list. They can only reply to the owner. If they try to reply to the group it will bounce back. Let me know if you need any further help. I can do some more tests if you'd like. 😄 😄
All this being said; I should say it might be easier and elegant to purchase a bulk email solution if you guys have the budget. 😄 😄 |
Thanks so much!!! I'll have a close look at this. |
I think we can close this and discuss further things on our mailing list if needed. |
Hey @jdubois, Now that GitHub supports giving credit on disclosures, would you be willing to put me as the finder on both of these? GHSA-mwp6-j9wf-968c Also, the Daily Swig covered this, and they kinda got the story wrong, so I'm working with them to correct it. |
@JLLeitschuh I have updated the Kotlin one, I can't update the one in the main generator. |
Hi @ JLLeitschuh it should be OK for both issues! Thank you for everything |
This is for GHSA-mwp6-j9wf-968c which isn't public at the time of this writing
@JLLeitschuh thank you so much for reporting this issue!!!
We would like to thank you by giving you a $500 bug bounty on the project, and this is why I'm creating this ticket (this is to follow our official process to give money).
To have more information on our bug bounties program, please read https://www.jhipster.tech/bug-bounties/
The text was updated successfully, but these errors were encountered: