Oracle Linux: CVE-2022-35255: ELSA-2022-9947: GraalVM Security update (IMPORTANT) (Multiple Advisories)
Description
A weak randomness in WebCrypto keygen vulnerability exists in Node.js 18 due to a change with EntropySource() in SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. There are two problems with this: 1) It does not check the return value, it assumes EntropySource() always succeeds, but it can (and sometimes will) fail. 2) The random data returned byEntropySource() may not be cryptographically strong and therefore not suitable as keying material. A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information.
Solution(s)
- oracle-linux-upgrade-graalvm22-ce-11
- oracle-linux-upgrade-graalvm22-ce-11-devel
- oracle-linux-upgrade-graalvm22-ce-11-espresso
- oracle-linux-upgrade-graalvm22-ce-11-espresso-llvm
- oracle-linux-upgrade-graalvm22-ce-11-fastr
- oracle-linux-upgrade-graalvm22-ce-11-javascript
- oracle-linux-upgrade-graalvm22-ce-11-jdk
- oracle-linux-upgrade-graalvm22-ce-11-libpolyglot
- oracle-linux-upgrade-graalvm22-ce-11-llvm
- oracle-linux-upgrade-graalvm22-ce-11-llvm-toolchain
- oracle-linux-upgrade-graalvm22-ce-11-native-image
- oracle-linux-upgrade-graalvm22-ce-11-native-image-llvm-backend
- oracle-linux-upgrade-graalvm22-ce-11-nodejs
- oracle-linux-upgrade-graalvm22-ce-11-nodejs-devel
- oracle-linux-upgrade-graalvm22-ce-11-polyglot
- oracle-linux-upgrade-graalvm22-ce-11-python
- oracle-linux-upgrade-graalvm22-ce-11-python-devel
- oracle-linux-upgrade-graalvm22-ce-11-ruby
- oracle-linux-upgrade-graalvm22-ce-11-ruby-devel
- oracle-linux-upgrade-graalvm22-ce-11-tools
- oracle-linux-upgrade-graalvm22-ce-11-wasm
- oracle-linux-upgrade-graalvm22-ce-17
- oracle-linux-upgrade-graalvm22-ce-17-devel
- oracle-linux-upgrade-graalvm22-ce-17-espresso
- oracle-linux-upgrade-graalvm22-ce-17-espresso-llvm
- oracle-linux-upgrade-graalvm22-ce-17-fastr
- oracle-linux-upgrade-graalvm22-ce-17-javascript
- oracle-linux-upgrade-graalvm22-ce-17-jdk
- oracle-linux-upgrade-graalvm22-ce-17-libpolyglot
- oracle-linux-upgrade-graalvm22-ce-17-llvm
- oracle-linux-upgrade-graalvm22-ce-17-llvm-toolchain
- oracle-linux-upgrade-graalvm22-ce-17-native-image
- oracle-linux-upgrade-graalvm22-ce-17-native-image-llvm-backend
- oracle-linux-upgrade-graalvm22-ce-17-nodejs
- oracle-linux-upgrade-graalvm22-ce-17-nodejs-devel
- oracle-linux-upgrade-graalvm22-ce-17-polyglot
- oracle-linux-upgrade-graalvm22-ce-17-python
- oracle-linux-upgrade-graalvm22-ce-17-python-devel
- oracle-linux-upgrade-graalvm22-ce-17-ruby
- oracle-linux-upgrade-graalvm22-ce-17-ruby-devel
- oracle-linux-upgrade-graalvm22-ce-17-tools
- oracle-linux-upgrade-graalvm22-ce-17-wasm
- oracle-linux-upgrade-nodejs-packaging
- Lightweight Endpoint Agent
- Live Dashboards
- Real Risk Prioritization
- IT-Integrated Remediation Projects
- Cloud, Virtual, and Container Assessment
- Integrated Threat Feeds
- Easy-to-Use RESTful API
- Automation-Assisted Patching
- Automated Containment
With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.
– Scott Cheney, Manager of Information Security, Sierra View Medical Center