nodejs-cryptiles before version 4.1.2 does not implement cryptographically secure randomness resulting in the randomDigits() function return a pseudo-random data string biased to certain digits. An attacker could exploit this to guess the generated digits. Upstream Issue: https://github.com/hapijs/cryptiles/issues/34 Upstream Patch: https://github.com/hapijs/cryptiles/commit/9332d4263a32b84e76bf538d7470d01ea63fa047
Created nodejs-cryptiles tracking bugs for this issue: Affects: epel-all [bug 1608155] Affects: fedora-all [bug 1608154]
Cryptiles in rh-nodejs6-nodejs-cryptiles is 2.05, uses the crypto library for RNG, and does not include the randomDigits function addressed in CVE-2018-1000620. Furthermore, it looks as though the randomBits function remains the same. Hence, rh-nodejs6-nodejs-cryptiles looks notaffected.
Cryptiles in rh-nodejs8-nodejs is a dependency of Hawk and is bundled with it. While the CVE-2018-1000620 does apply to the version of exports.randomDigits bundles with this version of Cryptiles, the Hawk package does NOT call the randomDigits function. Instead, it makes use of randomString and fixedTimeComparison. Thus, this package is notaffected by the CVE.
Excluding all the hawk dependencies from RHMAP leaves this list. Hawk was excluded because of the information in comment #3. rhmap-fh-metrics-container-3.2.1-1/nodejs-cryptiles-3.1.2 - Caught by Synk upstream but not addressed yet: https://github.com/feedhenry/fh-metrics-client/pull/6 - It's not actually used in the code, so setting notaffected. redhat_mobile_platform_onpremise:4.7.0/rhmap-fh-appstore-container-2.1.3-1/nodejs-cryptiles-3.1.2/nodejs-boom-5.2.0 - It's not actually used in the code, so setting notaffected.
Statement: Red Hat Quay imports nodejs-crypttiles as a development dependency. Reducing the impact of Red Hat Quay to low.