node-uuid before 1.4.4 uses insufficiently random data to create a GUID, which could make it easier for attackers to have unspecified impact via brute force guessing.
Weakness
The product uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
Affected Software
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Node-uuid | Node-uuid_project | * | 1.4.4 (excluding) |
| Red Hat OpenShift Container Platform 3.2 | RedHat | atomic-openshift-0:3.2.1.1-1.git.0.96f9555.el7 | * |
| Red Hat OpenShift Container Platform 3.2 | RedHat | heapster-0:1.1.0-1.beta2.el7 | * |
| Node-uuid | Ubuntu | artful | * |
| Node-uuid | Ubuntu | precise | * |
| Node-uuid | Ubuntu | upstream | * |
| Node-uuid | Ubuntu | wily | * |
| Node-uuid | Ubuntu | yakkety | * |
| Node-uuid | Ubuntu | zesty | * |
Potential Mitigations
Related Attack Patterns
References
- http://www.openwall.com/lists/oss-security/2016/04/13/8
- https://bugzilla.redhat.com/show_bug.cgi?id=1327056
- https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
- https://nodesecurity.io/advisories/93
- http://www.openwall.com/lists/oss-security/2016/04/13/8
- https://bugzilla.redhat.com/show_bug.cgi?id=1327056
- https://github.com/broofa/node-uuid/commit/672f3834ed02c798aa021c618d0a5666c8da000d
- https://nodesecurity.io/advisories/93