Bug 1954376 (CVE-2021-3538) - CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure randomness
Summary: CVE-2021-3538 satori/go.uuid: predictable UUIDs generated via insecure random...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2021-3538
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1958943 1957899
Blocks: 1954377 1957461
TreeView+ depends on / blocked
 
Reported: 2021-04-28 03:58 UTC by Sam Fowler
Modified: 2022-08-04 08:54 UTC (History)
57 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in github.com/satori/go.uuid. Due to insecure randomness in the g.rand.Read function the generated UUIDs are predictable for an attacker.
Clone Of:
Environment:
Last Closed: 2021-10-28 08:53:13 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift telemeter pull 379 0 None open Update dependency to generate UUID in benchmark 2021-06-17 10:31:17 UTC

Description Sam Fowler 2021-04-28 03:58:19 UTC
github.com/satori/go.uuid is a provides pure Go implementation of Universally Unique Identifier (UUID).

Affected versions of this package are vulnerable to Insecure Randomness producing predictable UUID identifiers due to the limited number of bytes read when using the g.rand.Read function.


References:

https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
https://github.com/satori/go.uuid/issues/73
https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45

Comment 4 lnacshon 2021-04-28 12:46:33 UTC
seems like many of our services are using github.com/satori/go.uuid

Comment 5 Przemyslaw Roguski 2021-04-29 14:59:50 UTC
The issue was introduced by this commit:
https://github.com/satori/go.uuid/commit/0ef6afb2f6cdd6cdaeee3885a95099c63f18fc8c#diff-0d0495ad16c6f603876bbf484c43b549f53d0b33d4cd74c908b0ee95a94369ea
When owner of that repo decided to change the return `(UUID, error)` instead of `UUID`.

That commit was after the 1.2.0 release.
In the 1.2.0 release the g.rand.Read function is not used.

Later with this commit owner changed the introduced g.rand.Read function to ReadFull:
https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45

Comment 7 Daniel Hiller 2021-04-30 15:41:35 UTC
AFAICT kubevirt/project-infra suffers from a transitive dependency originating from test-infra:

ERROR: /home/dhiller/.cache/bazel/_bazel_dhiller/cbe91df64505157c960ac2806f3cb3c4/external/io_k8s_test_infra/prow/pjutil/BUILD.bazel:11:1: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved and referenced by '@io_k8s_test_infra//prow/pjutil:go_default_library'
ERROR: Analysis of target '//external-plugins/rehearse/plugin/handler:go_default_library' failed; build aborted: no such package '@com_github_satori_go_uuid//': The repository '@com_github_satori_go_uuid' could not be resolved
INFO: Elapsed time: 0.949s

We need to see whether we can just bump test-infra and then get rid of this.

Comment 8 Jason Shepherd 2021-05-04 04:37:34 UTC
All Quay images use the unaffected 1.2.0 version of github.com/satori/go.uuid

Comment 9 Jason Shepherd 2021-05-04 05:28:36 UTC
All Migration Toolkit for Container images use the unaffected 1.2.0 version of github.com/satori/go.uuid

Comment 10 Przemyslaw Roguski 2021-05-05 08:49:30 UTC
I've started a discussion on github.com/satori/go.uuid repo if that project should be used currently and everyone confirmed that this project was dropped long time ago. Everyone who use it in their code should switch to https://github.com/gofrs/uuid which is a fork to github.com/satori/go.uuid and is still supported.
So Engineering should be aware about this and stop using github.com/satori/go.uuid in favor of https://github.com/gofrs/uuid

Comment 11 Przemyslaw Roguski 2021-05-05 09:12:21 UTC
Statement:

An upstream fix has been pushed into the master branch [1], but new release was not published.

[1] https://github.com/satori/go.uuid/commit/d91630c8510268e75203009fe7daf2b8e1d60c45


Note You need to log in before you can comment on or make changes to this bug.