Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. However, it does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. Impacts: All versions of the 18.x and 16.x release lines. https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 2130524] Affects: fedora-all [bug 2130523] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2130527] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-all [bug 2130525] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2130528] Created nodejs:15/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2130529] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-all [bug 2130526] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2130530] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2130531]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6963 https://access.redhat.com/errata/RHSA-2022:6963
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6964 https://access.redhat.com/errata/RHSA-2022:6964
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7821 https://access.redhat.com/errata/RHSA-2022:7821
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-35255