Nearly 4,000 pull requests were issued to fix dependant projects

UPDATED Security researchers have run a successfully exercise to refactor apps that inherited a cryptographic flaw from a vulnerable code generator, JHipster.

Both JHipster and JHipster Kotlin were updated in late June to break their reliance on a weak pseudo-random number generator (PRNG).

The vulnerability meant that an attacker who had obtained a password reset token from a JHipster or JHipster Kotlin generated service would be able to correctly predict future password reset tokens.

This made it possible for an unauthorized third party to request an administrator’s password reset token in order to take over a privileged account.

Legacy of insecurity

Web applications and microservices built using vulnerable version of either JHipster or JHipster Kotlin were not themselves fixed even after the code generating utilities were updated to fixed versions - JHipster 6.3.0 and JHipster Kotlin 1.2.0, respectively.

Software engineer Jonathan Leitschuh estimated in early July that there were as many as 14,600 instances of vulnerable applications generated using vulnerable builds of JHipster on GitHub.


BACKGROUND App generator tool JHipster Kotlin fixes fundamental cryptographic bug


Last weekend, Leitschuh and his colleagues ran an exercise to seek out and update open source applications still vulnerable to the PRNG problem using an automated pull request generator.

Over the course of 16 hours, 3,880 pull requests were issued to fix instances of CVE-2019-16303, the PRNG vulnerability in the JHipster code generator.

The same underlying vulnerability also affected apps made using JHipster Kotlin.

The root cause of the problem in the case of both JHipster and JHipster Kotlin was reliance on Apache Commons Lang 3 RandomStringUtils to handle PRNGs.

Hip to the beat

The JHipster app patching exercise, supported by GitHub Security Lab, relied on a code refactoring tool developed by Jon Schneider of source code transformation startup Moderne.

Leitschuh told The Daily Swig: “We plan to do this sort of thing again in the future with other vulnerabilities, but hopefully ones that are more complex and less cookie cutter.”

JHipster is an open source package that’s used to generate web applications and microservices. JHipster Kotlin performs the same functions to generate apps that are compatible with Kotlin, a modern cross-platform programming language.


This story has been updated and revised to reflect that the refactoring exercise focused on JHipster-generated apps and not JHipster, as first and inaccurately reported.


RECOMMENDED Critical XSS vulnerability in Instagram’s Spark AR nets 14-year-old researcher $25,000