Bug 1954376 (CVE-2021-3538) - CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness
Summary: CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure random...
Alias: CVE-2021-3538
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: Red Hat1958943 Red Hat1957899
Blocks: Embargoed1954377 Red Hat1957461
TreeView+ depends on / blocked
Reported: 2021-04-28 03:58 UTC by Sam Fowler
Modified: 2022-08-04 08:54 UTC (History)
57 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in github.com/satori/go.uuid. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.
Clone Of:
Last Closed: 2021-10-28 08:53:13 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift telemeter pull 379 0 None open Update dependency to generate UUID in benchmark 2021-06-17 10:31:17 UTC

Description Sam Fowler 2021-04-28 03:58:19 UTC
github.com/satori/go.uuid is a provides pure Go implementation of Universally Unique Identifier (UUID).

Affected versions of this package are vulnerable to Insecure Randomness producing predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function.



Comment 4 lnacshon 2021-04-28 12:46:33 UTC
seems like many of our services are using github.com/satori/go.uuid

Comment 5 Przemyslaw Roguski 2021-04-29 14:59:50 UTC
The issue was introduced by this commit:
When owner of that repo decided to change the return `(UUID, error)` instead of `UUID`.

That commit was after the 1.2.0 release.
In the 1.2.0 release the g.rand.Read function is not used.

Later with this commit owner changed the introduced g.rand.Read function to ReadFull:

Comment 7 Daniel Hiller 2021-04-30 15:41:35 UTC
AFAICT kubevirt/project-infra suffers from a transitive dependency originating from test-infra:

ERROR: /home/dhiller/.cache/bazel/_bazel_dhiller/cbe91df64505157c960ac2806f3cb3c4/external/io_k8s_test_infra/prow/pjutil/BUILD.bazel:11:1: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved and referenced by '@io_k8s_test_infra//prow/pjutil:go_default_library'
ERROR: Analysis of target '//external-plugins/rehearse/plugin/handler:go_default_library' failed; build aborted: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved
INFO: Elapsed time: 0.949s

We need to see whether we can just bump test-infra and then get rid of this.

Comment 8 Jason Shepherd 2021-05-04 04:37:34 UTC
All Quay images use the unaffected 1.2.0 version of github.com/satori/go.uuid

Comment 9 Jason Shepherd 2021-05-04 05:28:36 UTC
All Migration Toolkit for Container images use the unaffected 1.2.0 version of github.com/satori/go.uuid

Comment 10 Przemyslaw Roguski 2021-05-05 08:49:30 UTC
I've started a discussion on github.com/satori/go.uuid repo if that project should be used currently and everyone confirmed that this project was dropped long time ago. Everyone who use it in their code should switch to https://github.com/gofrs/uuid which is a fork to github.com/satori/go.uuid and is still supported.
So Engineering should be aware about this and stop using github.com/satori/go.uuid in favor of https://github.com/gofrs/uuid

Comment 11 Przemyslaw Roguski 2021-05-05 09:12:21 UTC

An upstream fix has been pushed into the master branch [1], but new release was not published.

[1] https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45

Note You need to log in before you can comment on or make changes to this bug.