Bug 1327056 (CVE-2015-8851)
| Summary: | CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bleanhar, ccoleman, dmcphers, jialiu, jkeck, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, tchollingsworth, thrcka, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-node-uuid 1.4.4 | Doc Type: | Bug Fix |
| Doc Text: |
It was found that NodeJS node-uuid used Math.random() to create a GUID (Globally Unique Identifier) which does not provide enough entropy (on some platforms it only provides 32 bits) which can result in collisions of GUIDs. An attacker could use this to guess GUID values and leverage further attacks against a system using node-uuid.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-09-20 19:57:43 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1327057, 1327058, 1327059, 1333209 | ||
| Bug Blocks: | 1322326 | ||
|
Description
Andrej Nemec
2016-04-14 07:53:03 UTC
Created nodejs-node-uuid tracking bugs for this issue: Affects: fedora-all [bug 1327057] Affects: epel-6 [bug 1327058] Affects: epel-7 [bug 1327059] This issue was addressed in: OpenShift Enterprise 3.2.1 in RHBA-2016:1343 |