Bug 1954376 (CVE-2021-3538)
Summary: | CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Sam Fowler <sfowler> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | alitke, anpicker, aos-bugs, aos-install, bbennett, bdettelb, bmontgom, bthurber, cnv-qe-bugs, dgoodwin, dhiller, dymurray, eparis, erooth, fdeutsch, gghezzo, gparvin, hvyas, ibolton, jburrell, jhrozek, jjoyce, jmatthew, jmontleo, jokerman, josorior, jramanat, jschluet, jweiser, krizza, lcosic, lgamliel, lhh, lpeer, mburns, mfilanov, mfojtik, mrogers, nstielau, obulatov, pdhamdhe, pgough, rfreiman, sclewis, slinaber, slucidi, sponnaga, sseago, stcannon, stirabos, sttts, surbania, team-winc, thee, tomckay, xiyuan, xxia |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: |
A flaw was found in github.com/satori/go.uuid. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-10-28 08:53:13 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1958943, 1957899 | ||
Bug Blocks: | 1954377, 1957461 |
Description
Sam Fowler
2021-04-28 03:58:19 UTC
seems like many of our services are using github.com/satori/go.uuid The issue was introduced by this commit: https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c#diff-0d0495ad16c6f603876bbf484c43b549f53d0b33d4cd74c908b0ee95a94369ea When owner of that repo decided to change the return `(UUID, error)` instead of `UUID`. That commit was after the 1.2.0 release. In the 1.2.0 release the g.rand.Read function is not used. Later with this commit owner changed the introduced g.rand.Read function to ReadFull: https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45 AFAICT kubevirt/project-infra suffers from a transitive dependency originating from test-infra: ERROR: /home/dhiller/.cache/bazel/_bazel_dhiller/cbe91df64505157c960ac2806f3cb3c4/external/io_k8s_test_infra/prow/pjutil/BUILD.bazel:11:1: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved and referenced by '@io_k8s_test_infra//prow/pjutil:go_default_library' ERROR: Analysis of target '//external-plugins/rehearse/plugin/handler:go_default_library' failed; build aborted: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved INFO: Elapsed time: 0.949s We need to see whether we can just bump test-infra and then get rid of this. All Quay images use the unaffected 1.2.0 version of github.com/satori/go.uuid All Migration Toolkit for Container images use the unaffected 1.2.0 version of github.com/satori/go.uuid I've started a discussion on github.com/satori/go.uuid repo if that project should be used currently and everyone confirmed that this project was dropped long time ago. Everyone who use it in their code should switch to https://github.com/gofrs/uuid which is a fork to github.com/satori/go.uuid and is still supported. So Engineering should be aware about this and stop using github.com/satori/go.uuid in favor of https://github.com/gofrs/uuid Statement: An upstream fix has been pushed into the master branch [1], but new release was not published. [1] https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45 |