{
  "threat_severity" : "Important",
  "public_date" : "2022-09-23T00:00:00Z",
  "bugzilla" : {
    "description" : "nodejs: weak randomness in WebCrypto keygen",
    "id" : "2130517",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2130517"
  },
  "cvss3" : {
    "cvss3_base_score" : "8.2",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
    "status" : "verified"
  },
  "cwe" : "CWE-338",
  "details" : [ "A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.", "A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information." ],
  "statement" : "The vulnerability was introduced in NodeJS v15.0.0, Hence, NodeJS:14 package in RHEL-8 and RHSCL-3 are not affected.",
  "acknowledgement" : "Upstream acknowledges Ben Noordhuis as the original reporter.",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-10-17T00:00:00Z",
    "advisory" : "RHSA-2022:6964",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:16-8060020221007164523.ad008a3a"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2022-11-08T00:00:00Z",
    "advisory" : "RHSA-2022:7821",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8",
    "package" : "nodejs:18-8070020221004121421.bd1311ed"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2022-10-18T00:00:00Z",
    "advisory" : "RHSA-2022:6963",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9",
    "package" : "nodejs-1:16.17.1-1.el9_0"
  } ],
  "package_state" : [ {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:14/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "nodejs:18/nodejs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Software Collections",
    "fix_state" : "Not affected",
    "package_name" : "rh-nodejs14-nodejs",
    "cpe" : "cpe:/a:redhat:rhel_software_collections:3"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2022-35255\nhttps://nvd.nist.gov/vuln/detail/CVE-2022-35255\nhttps://hackerone.com/bugs?report_id=1690000\nhttps://nodejs.org/en/blog/vulnerability/september-2022-security-releases/#weak-randomness-in-webcrypto-keygen-high-cve-2022-35255" ],
  "name" : "CVE-2022-35255",
  "csaw" : false
}