Bug 1327056 (CVE-2015-8851) - CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Summary: CVE-2015-8851 nodejs-node-uuid: insecure entropy source - Math.random()
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-8851
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1327057 1327058 1327059 1333209
Blocks: 1322326
TreeView+ depends on / blocked
 
Reported: 2016-04-14 07:53 UTC by Andrej Nemec
Modified: 2021-02-17 04:03 UTC (History)
14 users (show)

Fixed In Version: nodejs-node-uuid 1.4.4
Doc Type: Bug Fix
Doc Text:
It was found that NodeJS node-uuid used Math.random() to create a GUID (Globally Unique Identifier) which does not provide enough entropy (on some platforms it only provides 32 bits) which can result in collisions of GUIDs. An attacker could use this to guess GUID values and leverage further attacks against a system using node-uuid.
Clone Of:
Environment:
Last Closed: 2016-09-20 19:57:43 UTC
Embargoed:

Attachments (Terms of Use)

Description Andrej Nemec 2016-04-14 07:53:03 UTC 
node-uuid prior to 1.4.4 contained a bug that caused it to consistently
fall back to using Math.random() instead of a more cryptographically sound
source of entropy, the native crypto module.

External references:

https://nodesecurity.io/advisories/93

References:

http://seclists.org/oss-sec/2016/q2/70

Upstream fix:

https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
Comment 1 Andrej Nemec 2016-04-14 07:53:50 UTC 
Created nodejs-node-uuid tracking bugs for this issue:

Affects: fedora-all [bug 1327057]
Affects: epel-6 [bug 1327058]
Affects: epel-7 [bug 1327059]
Comment 3 Kurt Seifried 2016-09-20 19:57:06 UTC 
This issue was addressed in:

OpenShift Enterprise 3.2.1

in RHBA-2016:1343
Note You need to log in before you can comment on or make changes to this bug.