CVE-2022-35255

Description

A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material.

How to fix CVE-2022-35255

To remediate CVE-2022-35255, upgrade the affected package to a fixed version below.

• —upgrade to 16.17.1-r0 or later
• —upgrade to 15.14.1 or later
• —upgrade to 15.14.1 or later
• —upgrade to 12.22.12~dfsg-1~deb11u3 or later

Is CVE-2022-35255 being exploited?

Low — EPSS is 1.2%, meaning exploitation activity has not been observed at scale.

Affected packages (4)

• from 0, < 16.17.1-r0
• >= 15.0.0, < 15.14.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
• >= 15.0.0, < 15.14.1, >= 16.0.0, < 16.12.1, >= 16.13.0, < 16.17.1, >= 18.0.0, < 18.9.1
• from 0, < 12.22.12~dfsg-1~deb11u3

CVSS scores

References (7)

• ADVISORYsecurity.alpinelinux.org/vuln/CVE-2022-35255
• ADVISORYsecurity-tracker.debian.org/tracker/CVE-2022-35255
• WEBcert-portal.siemens.com/productcert/pdf/ssa-332410.pdf
• WEBhackerone.com/reports/1690000
• WEB