Bug 2130517 (CVE-2022-35255) - CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen
Summary: CVE-2022-35255 nodejs: weak randomness in WebCrypto keygen
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-35255
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2130524 2130525 2130526 2130523 2130527 2130528 2130529 2130530 2130531 2130543 2130544 2130545 2130546 2130547 2130548 2130549 2130550 2130551 2130552 2130553 2130554 2130555 2130556 2130557 2130558 2130559 2130560 2130561 2130562 2130563 2130564 2130565 2130566 2130567
Blocks: 2130576
TreeView+ depends on / blocked
 
Reported: 2022-09-28 13:11 UTC by TEJ RATHI
Modified: 2022-12-23 09:09 UTC (History)
11 users (show)

Fixed In Version: Nodejs 16.17.1, Nodejs 18.9.1
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
Clone Of:
Environment:
Last Closed: 2022-12-04 07:03:14 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:7142 0 None None None 2022-10-25 09:06:07 UTC
Red Hat Product Errata RHSA-2022:6963 0 None None None 2022-10-17 07:17:07 UTC
Red Hat Product Errata RHSA-2022:6964 0 None None None 2022-10-17 07:26:38 UTC
Red Hat Product Errata RHSA-2022:7821 0 None None None 2022-11-08 11:30:34 UTC

Description TEJ RATHI 2022-09-28 13:11:10 UTC
Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail.

Impacts:
All versions of the 18.x and 16.x release lines.

https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/

Comment 1 TEJ RATHI 2022-09-28 13:33:56 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130524]
Affects: fedora-all [bug 2130523]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130527]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130525]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130528]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130529]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2130526]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130530]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2130531]

Comment 6 errata-xmlrpc 2022-10-17 07:17:03 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963

Comment 7 errata-xmlrpc 2022-10-17 07:26:35 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964

Comment 8 errata-xmlrpc 2022-11-08 11:30:33 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821

Comment 9 Product Security DevOps Team 2022-12-04 07:03:11 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-35255


Note You need to log in before you can comment on or make changes to this bug.