Bug 2130517 (CVE-2022-35255)

Summary: CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: hhorak, jhouska, jorton, kaycoth, mrunge, mvanderw, nodejs-maint, nodejs-sig, sgallagh, thrcka, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Nodejs 16.17.1, Nodejs 18.9.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-04 07:03:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2130524, 2130525, 2130526, 2130523, 2130527, 2130528, 2130529, 2130530, 2130531, 2130543, 2130544, 2130545, 2130546, 2130547, 2130548, 2130549, 2130550, 2130551, 2130552, 2130553, 2130554, 2130555, 2130556, 2130557, 2130558, 2130559, 2130560, 2130561, 2130562, 2130563, 2130564, 2130565, 2130566, 2130567    
Bug Blocks: 2130576    

Description TEJ RATHI 2022-09-28 13:11:10 UTC 
Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.

Impacts:
All versions of the 18.x and 16.x release lines.

https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/
Comment 1 TEJ RATHI 2022-09-28 13:33:56 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130524]
Affects: fedora-all [bug 2130523]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130527]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130525]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130528]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130529]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130526]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130530]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130531]
Comment 6 errata-xmlrpc 2022-10-17 07:17:03 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963
Comment 7 errata-xmlrpc 2022-10-17 07:26:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964
Comment 8 errata-xmlrpc 2022-11-08 11:30:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821
Comment 9 Product Security DevOps Team 2022-12-04 07:03:11 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35255