Bug 1327056 (CVE-2015-8851)

Summary: CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bleanhar, ccoleman, dmcphers, jamielinux, jialiu, jkeck, jokerman, jorton, kseifried, lmeyer, mmaslano, mmccomas, tchollingsworth, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-node-uuid 1.4.4 Doc Type: Bug Fix
Doc Text:
It was found that NodeJS node-uuid used Math.random() to create a GUID (Globally Unique Identifier) which does not provide enough entropy (on some platforms it only provides 32 bits) which can result in collisions of GUIDs. An attacker could use this to guess GUID values and leverage further attacks against a system using node-uuid.
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-09-20 19:57:43 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1327058, 1327059, 1327057, 1333209    
Bug Blocks: 1322326    

Description Andrej Nemec 2016-04-14 07:53:03 UTC
node-uuid prior to 1.4.4 contained a bug that caused it to consistently
fall back to using Math.random() instead of a more cryptographically sound
source of entropy, the native crypto module.

External references:

https://nodesecurity.io/advisories/93

References:

http://seclists.org/oss-sec/2016/q2/70

Upstream fix:

https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d

Comment 1 Andrej Nemec 2016-04-14 07:53:50 UTC
Created nodejs-node-uuid tracking bugs for this issue:

Affects: fedora-all [bug 1327057]
Affects: epel-6 [bug 1327058]
Affects: epel-7 [bug 1327059]

Comment 3 Kurt Seifried 2016-09-20 19:57:06 UTC
This issue was addressed in:

OpenShift Enterprise 3.2.1

in RHBA-2016:1343