Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS0zM202LXE5djUtNjJyN84AA6Xq
Predictable SIF UUID Identifiers
Impact
The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid
module used as a dependency.
Patches
A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the module. Users are encouraged to upgrade.
Fixed by https://github.com/hpcng/sif/pull/90
Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get -u github.com/satori/[email protected]
References
https://github.com/satori/go.uuid/issues/73
For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues
Permalink: https://github.com/advisories/GHSA-33m6-q9v5-62r7JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS0zM202LXE5djUtNjJyN84AA6Xq
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Critical
Classification: General
Published: over 1 year ago
Updated: 24 days ago
CVSS Score: 9.8
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Identifiers: GHSA-33m6-q9v5-62r7, CVE-2021-3538
References:
- https://github.com/hpcng/sif/security/advisories/GHSA-33m6-q9v5-62r7
- https://nvd.nist.gov/vuln/detail/CVE-2021-3538
- https://github.com/satori/go.uuid/issues/73
- https://github.com/satori/go.uuid/pull/75
- https://github.com/satori/go.uuid/commit/75cca531ea763666bc46e531da3b4c3b95f64557
- https://bugzilla.redhat.com/show_bug.cgi?id=1954376
- https://pkg.go.dev/vuln/GO-2022-0244
- https://snyk.io/vuln/SNYK-GOLANG-GITHUBCOMSATORIGOUUID-72488
- https://github.com/advisories/GHSA-33m6-q9v5-62r7
Blast Radius: 46.3
Affected Packages
go:github.com/apptainer/sif
Dependent packages: 0Dependent repositories: 0
Downloads:
Affected Version Ranges: < 1.2.2
Fixed in: 1.2.2
All affected versions: 1.0.0, 1.0.1, 1.0.2, 1.0.3, 1.0.4, 1.0.5, 1.0.6, 1.0.7, 1.0.8, 1.0.9, 1.0.10, 1.1.0, 1.2.0, 1.2.1
All unaffected versions: 1.2.2, 1.2.3, 1.4.5, 1.5.1, 1.6.0, 1.7.0
go:github.com/satori/go.uuid
Dependent packages: 11,155Dependent repositories: 53,217
Downloads:
Affected Version Ranges: >= 1.2.1-0.20180103161547-0ef6afb2f6cd, < 1.2.1-0.20180404165556-75cca531ea76
Fixed in: 1.2.1-0.20180404165556-75cca531ea76
All affected versions:
All unaffected versions: 1.0.0, 1.1.0, 1.2.0