CVE-2022-35255: Weak RNG
First published: Fri Sep 23 2022(Updated: )
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.
Credit: support@hackerone.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/nodejs | <1:16.17.1-1.el9_0 | 1:16.17.1-1.el9_0 |
| Nodejs Node.js | >=15.0.0<=15.14.0 | |
| Nodejs Node.js | >=16.0.0<=16.12.0 | |
| Nodejs Node.js | >=16.13.0<16.17.1 | |
| Nodejs Node.js | >=18.0.0<18.9.1 | |
| Siemens Sinec Ins | <1.0 | |
| Siemens Sinec Ins | =1.0 | |
| Siemens Sinec Ins | =1.0-sp1 | |
| Siemens Sinec Ins | =1.0-sp2 | |
| Debian Debian Linux | =11.0 | |
| debian/nodejs | 10.24.0~dfsg-1~deb10u1 10.24.0~dfsg-1~deb10u3 12.22.12~dfsg-1~deb11u4 18.13.0+dfsg1-1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://cert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
- https://hackerone.com/reports/1690000
- https://security.netapp.com/advisory/ntap-20230113-0002/
- https://www.debian.org/security/2023/dsa-5326
- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130524
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130523
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130527
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130525
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130528
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130529
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130526
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130530
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130531
- https://access.redhat.com/errata/RHSA-2022:6963
- https://access.redhat.com/errata/RHSA-2022:6964
- https://access.redhat.com/errata/RHSA-2022:7821
- https://access.redhat.com/security/cve/cve-2022-35255
- https://bugzilla.redhat.com/show_bug.cgi?id=2130517
- https://www.cve.org/CVERecord?id=CVE-2022-35255 https://nvd.nist.gov/vuln/detail/CVE-2022-35255 https://hackerone.com/bugs?report_id=1690000 https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255
- https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255
- https://github.com/nodejs/node/commit/0c2a5723beff39d1f62daec96b5389da3d427e79
- https://github.com/nodejs/node/commit/dae283d96fd31ad0f30840a7e55ac97294f505ac
- https://security-tracker.debian.org/tracker/CVE-2022-35255
Parent vulnerabilities
(Appears in the following advisories)
Frequently Asked Questions
What is CVE-2022-35255?
CVE-2022-35255 is a vulnerability found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() function.
How severe is CVE-2022-35255?
CVE-2022-35255 has a severity value of 9.1, which is considered critical.
Which versions of NodeJS are affected by CVE-2022-35255?
NodeJS versions up to and including 16.17.1 and 18.9.1 are affected by CVE-2022-35255.
How can I fix CVE-2022-35255?
To fix CVE-2022-35255, update your NodeJS installation to version 16.17.1 or higher for NodeJS 16, and version 18.9.1 or higher for NodeJS 18.
Where can I find more information about CVE-2022-35255?
You can find more information about CVE-2022-35255 at the following references: [NodeJS September 2022 Security Releases](https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/), [Red Hat Bugzilla - CVE-2022-35255](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130524), [Red Hat Bugzilla - CVE-2022-35255](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2130523).
- collector/redhat-cve
- collector/security-tracker-debian
- collector/nvd-index
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- agent/author
- agent/references
- agent/severity
- agent/weakness
- agent/description
- agent/tags
- agent/event
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2022-35255
- agent/software-canonical-lookup
- agent/last-modified-date
- collector/mitre-cve
- source/MITRE
- package-manager/redhat
- package-manager/debian
- vendor/nodejs
- canonical/nodejs node.js
- version/nodejs node.js/15.0.0
- version/nodejs node.js/15.14.0
- version/nodejs node.js/16.0.0
- version/nodejs node.js/16.12.0
- version/nodejs node.js/16.13.0
- version/nodejs node.js/18.0.0
- vendor/siemens
- canonical/siemens sinec ins
- version/siemens sinec ins/1.0
- version/siemens sinec ins/1.0-sp1
- version/siemens sinec ins/1.0-sp2
- vendor/debian
- canonical/debian debian linux
- version/debian debian linux/11.0