Уязвимость CVE-2022-35255: Информация

Описание

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

Важность: CRITICAL (9,1) Вектор: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Исправленные пакеты

Ссылки на рекомендации, решения и инструменты

1. Подверженные конфигурации:

   1. Конфигурация 1

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      16.0.0

      End including

      16.12.0

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:lts:*:*:*

      Start including

      16.13.0

      End excliding

      16.17.1

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      18.0.0

      End excliding

      18.9.1

      ---

      cpe:2.3:a:nodejs:node.js:*:*:*:*:-:*:*:*

      Start including

      15.0.0

      End including

      15.14.0

      ---

      Конфигурация 2

      cpe:2.3:a:siemens:sinec_ins:1.0:sp1:*:*:*:*:*:*

      ---

      cpe:2.3:a:siemens:sinec_ins:*:*:*:*:*:*:*:*

      End excliding

      1.0

      ---

      cpe:2.3:a:siemens:sinec_ins:1.0:-:*:*:*:*:*:*

      ---

      cpe:2.3:a:siemens:sinec_ins:1.0:sp2:*:*:*:*:*:*

      ---

      Конфигурация 3

      cpe:2.3:o:debian:debian_linux:11.0:*:*:*:*:*:*:*

      ---