Bug 2156729 (CVE-2021-4238) - CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are not as random as they should be
Summary: CVE-2021-4238 goutils: RandomAlphaNumeric and CryptoRandomAlphaNumeric are no...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-4238
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2159855 2159856 2159857 2159520 2159843 2159853 2159854 2159858 2159859 2159860 2159861 2159862 2159863 2159864 2159865 2159866 2159867 2159868 2159869 2159870 2159871 2159872 2159873 2159874 2159875 2159876 2159877 2159878 2159879 2159880 2159881 2159882 2159883 2160086 2160087 2160088 2160089 2160090 2160620 2160621 2161305
Blocks: 2156730
TreeView+ depends on / blocked
 
Reported: 2022-12-28 11:24 UTC by Avinash Hanwate
Modified: 2023-09-01 04:28 UTC (History)
80 users (show)

Fixed In Version: goutils 1.1.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in goutils where randomly generated alphanumeric strings contain significantly less entropy than expected. Both the `RandomAlphaNumeric` and `CryptoRandomAlphaNumeric` functions always return strings containing at least one digit from 0 to 9. This issue significantly reduces the amount of entropy generated in short strings by these functions.
Clone Of:
Environment:
Last Closed: 2023-02-01 07:26:02 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2023:0449 0 None None None 2023-01-30 17:31:07 UTC
Red Hat Product Errata RHSA-2023:0540 0 None None None 2023-01-30 16:22:24 UTC
Red Hat Product Errata RHSA-2023:0542 0 None None None 2023-01-30 17:21:15 UTC
Red Hat Product Errata RHSA-2023:0561 0 None None None 2023-02-08 18:49:37 UTC
Red Hat Product Errata RHSA-2023:0565 0 None None None 2023-02-07 13:22:26 UTC
Red Hat Product Errata RHSA-2023:0569 0 None None None 2023-02-07 21:23:51 UTC
Red Hat Product Errata RHSA-2023:0574 0 None None None 2023-02-13 04:31:56 UTC
Red Hat Product Errata RHSA-2023:0651 0 None None None 2023-02-15 07:42:57 UTC
Red Hat Product Errata RHSA-2023:0728 0 None None None 2023-02-16 18:18:34 UTC
Red Hat Product Errata RHSA-2023:0770 0 None None None 2023-02-20 18:30:56 UTC
Red Hat Product Errata RHSA-2023:0774 0 None None None 2023-02-21 18:11:35 UTC
Red Hat Product Errata RHSA-2023:0802 0 None None None 2023-02-17 03:32:45 UTC
Red Hat Product Errata RHSA-2023:0803 0 None None None 2023-02-17 03:46:25 UTC
Red Hat Product Errata RHSA-2023:0804 0 None None None 2023-02-17 04:12:13 UTC
Red Hat Product Errata RHSA-2023:0899 0 None None None 2023-03-01 09:00:16 UTC
Red Hat Product Errata RHSA-2023:1154 0 None None None 2023-03-16 03:52:17 UTC
Red Hat Product Errata RHSA-2023:1159 0 None None None 2023-03-14 02:49:57 UTC
Red Hat Product Errata RHSA-2023:1170 0 None None None 2023-03-08 15:31:17 UTC
Red Hat Product Errata RHSA-2023:1270 0 None None None 2023-03-21 04:14:11 UTC
Red Hat Product Errata RHSA-2023:1297 0 None None None 2023-03-22 03:13:49 UTC
Red Hat Product Errata RHSA-2023:1326 0 None None None 2023-05-17 22:31:20 UTC
Red Hat Product Errata RHSA-2023:1393 0 None None None 2023-03-29 00:58:47 UTC
Red Hat Product Errata RHSA-2023:3742 0 None None None 2023-06-22 19:52:11 UTC

Description Avinash Hanwate 2022-12-28 11:24:56 UTC
Randomly-generated alphanumeric strings contain significantly less entropy than expected. The RandomAlphaNumeric and CryptoRandomAlphaNumeric functions always return strings containing at least one digit from 0 to 9. This significantly reduces the amount of entropy in short strings generated by these functions.

https://github.com/Masterminds/goutils/commit/869801f20f9f1e7ecdbdb6422049d8241270d5e1
https://pkg.go.dev/vuln/GO-2022-0411

Comment 7 Anten Skrabec 2023-01-09 22:10:28 UTC
Created golang-github-rubenv-sql-migrate tracking bugs for this issue:

Affects: fedora-36 [bug 2159520]

Comment 8 Anten Skrabec 2023-01-10 23:30:25 UTC
Created golang-github-masterminds-goutils tracking bugs for this issue:

Affects: fedora-36 [bug 2159843]

Comment 33 errata-xmlrpc 2023-01-30 16:22:20 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2023:0540 https://access.redhat.com/errata/RHSA-2023:0540

Comment 34 errata-xmlrpc 2023-01-30 17:21:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Service Mesh 2.3 for RHEL 8

Via RHSA-2023:0542 https://access.redhat.com/errata/RHSA-2023:0542

Comment 35 errata-xmlrpc 2023-01-30 17:31:03 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0449 https://access.redhat.com/errata/RHSA-2023:0449

Comment 41 Product Security DevOps Team 2023-02-01 07:25:55 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-4238

Comment 43 errata-xmlrpc 2023-02-07 13:22:22 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0565 https://access.redhat.com/errata/RHSA-2023:0565

Comment 44 errata-xmlrpc 2023-02-07 21:23:48 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0569 https://access.redhat.com/errata/RHSA-2023:0569

Comment 45 errata-xmlrpc 2023-02-08 18:49:33 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0561 https://access.redhat.com/errata/RHSA-2023:0561

Comment 46 errata-xmlrpc 2023-02-13 04:31:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.9

Via RHSA-2023:0574 https://access.redhat.com/errata/RHSA-2023:0574

Comment 47 errata-xmlrpc 2023-02-15 07:42:53 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0651 https://access.redhat.com/errata/RHSA-2023:0651

Comment 48 errata-xmlrpc 2023-02-16 18:18:30 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0728 https://access.redhat.com/errata/RHSA-2023:0728

Comment 49 errata-xmlrpc 2023-02-17 03:32:41 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.6

Via RHSA-2023:0802 https://access.redhat.com/errata/RHSA-2023:0802

Comment 50 errata-xmlrpc 2023-02-17 03:46:21 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.7

Via RHSA-2023:0803 https://access.redhat.com/errata/RHSA-2023:0803

Comment 51 errata-xmlrpc 2023-02-17 04:12:10 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift GitOps 1.5

Via RHSA-2023:0804 https://access.redhat.com/errata/RHSA-2023:0804

Comment 52 errata-xmlrpc 2023-02-20 18:30:51 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:0770 https://access.redhat.com/errata/RHSA-2023:0770

Comment 53 errata-xmlrpc 2023-02-21 18:11:31 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:0774 https://access.redhat.com/errata/RHSA-2023:0774

Comment 54 errata-xmlrpc 2023-03-01 09:00:12 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:0899 https://access.redhat.com/errata/RHSA-2023:0899

Comment 55 errata-xmlrpc 2023-03-08 15:31:13 UTC
This issue has been addressed in the following products:

  RHODF-4.12-RHEL-8

Via RHSA-2023:1170 https://access.redhat.com/errata/RHSA-2023:1170

Comment 56 errata-xmlrpc 2023-03-14 02:49:54 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1159 https://access.redhat.com/errata/RHSA-2023:1159

Comment 57 errata-xmlrpc 2023-03-16 03:52:13 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1154 https://access.redhat.com/errata/RHSA-2023:1154

Comment 59 errata-xmlrpc 2023-03-21 04:14:08 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.12

Via RHSA-2023:1270 https://access.redhat.com/errata/RHSA-2023:1270

Comment 60 errata-xmlrpc 2023-03-22 03:13:45 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.11

Via RHSA-2023:1297 https://access.redhat.com/errata/RHSA-2023:1297

Comment 63 errata-xmlrpc 2023-03-29 00:58:43 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.10

Via RHSA-2023:1393 https://access.redhat.com/errata/RHSA-2023:1393

Comment 65 errata-xmlrpc 2023-05-17 22:31:16 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.13

Via RHSA-2023:1326 https://access.redhat.com/errata/RHSA-2023:1326

Comment 66 errata-xmlrpc 2023-06-22 19:52:08 UTC
This issue has been addressed in the following products:

  RHODF-4.13-RHEL-9

Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742


Note You need to log in before you can comment on or make changes to this bug.