What is CVE-2023-31147?

CVE-2023-31147 is a vulnerability in the c-ares library that allows for the generation of predictable random numbers for DNS query IDs.

How does CVE-2023-31147 affect c-ares?

CVE-2023-31147 affects c-ares versions up to and including 1.19.1.

What is the severity of CVE-2023-31147?

The severity of CVE-2023-31147 is medium with a CVSS score of 6.5.

How can I fix CVE-2023-31147?

To fix CVE-2023-31147, you should upgrade to a version of c-ares that is not affected by this vulnerability.

Where can I find more information about CVE-2023-31147?

You can find more information about CVE-2023-31147 at the following references: [Access Red Hat](https://access.redhat.com/security/cve/CVE-2023-31147), [GitHub Security Advisory](https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2), [Bugzilla Red Hat](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209542).

Vulnerability/
CVE-2023-31147

medium

6.5

CWE

330

24/5/2023

25/5/2023

2/8/2024

CVE-2023-31147: Insufficient randomness in generation of DNS query IDs in c-ares

First published: Wed May 24 2023(Updated: )

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.

Credit: security-advisories@github.com security-advisories@github.com

Affected Software	Affected Version	How to fix
C-ares Project C-ares	<1.19.1
Fedoraproject Fedora	=37
Fedoraproject Fedora	=38

Never miss a vulnerability like this again

Reference Links

Frequently Asked Questions

What is CVE-2023-31147?
CVE-2023-31147 is a vulnerability in the c-ares library that allows for the generation of predictable random numbers for DNS query IDs.
How does CVE-2023-31147 affect c-ares?
CVE-2023-31147 affects c-ares versions up to and including 1.19.1.
What is the severity of CVE-2023-31147?
The severity of CVE-2023-31147 is medium with a CVSS score of 6.5.
How can I fix CVE-2023-31147?
To fix CVE-2023-31147, you should upgrade to a version of c-ares that is not affected by this vulnerability.
Where can I find more information about CVE-2023-31147?
You can find more information about CVE-2023-31147 at the following references: [Access Red Hat](https://access.redhat.com/security/cve/CVE-2023-31147), [GitHub Security Advisory](https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2), [Bugzilla Red Hat](https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=2209542).

collector/nvd-latest
vendor/c-ares project
vendor/c-ares
vendor/fedoraproject
vendor/fedora
product/c-ares
canonical/c-ares project c-ares
product/fedora
canonical/fedoraproject fedora
collector/nvd-index
collector/nvd-api
agent/author
agent/type
agent/softwarecombine
agent/first-publish-date
agent/references
agent/weakness
agent/description
collector/redhat-bugzilla
source/Red Hat
alias/CVE-2023-31147
collector/mitre-cve
source/MITRE
agent/last-modified-date
agent/title
agent/severity
agent/tags
agent/event
version/fedoraproject fedora/37
version/fedoraproject fedora/38