CVE-2019-19135: 
Java vulnerability analysis and mitigation

CVE-2019-19135 affects the OPC Foundation OPC UA .NET Standard codebase version 1.4.357.28 and earlier versions before 1.4.359.31. The vulnerability was disclosed on March 16, 2020, and involves insufficient random number generation in the OPCFoundation.NetStandard.Opc.Ua component (NVD, AttackerKB).

The vulnerability stems from inadequate random number generation in the OPC UA .NET Standard codebase. The CVSS v3.1 base score is 7.4 (High) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N, indicating that it is network-accessible, requires high attack complexity, needs no privileges or user interaction, and can result in high confidentiality and integrity impacts (NVD).

If exploited, the vulnerability allows man-in-the-middle attackers to reuse encrypted user credentials that are transmitted over the network. This could potentially lead to unauthorized access and compromise of affected systems (NVD, CISA Advisory).

The primary mitigation is to update to OPC UA .NET Standard version 1.4.359.31 or later. For systems that cannot be immediately updated, it is recommended to enable encrypted communication between affected OPC UA clients and servers, and to protect network access to devices with appropriate mechanisms (CISA Advisory).

The vulnerability has been acknowledged by major industrial organizations, with AWS incorporating fixes in their IoT SiteWise OPC UA collector component version 2.3.0 to address this security issue (AWS Docs).