CBL Mariner 2.0 Security Update: c-ares / nodejs / fluent-bit / nodejs18 / grpc (CVE-2023-31147)
Discription

The version of c-ares / nodejs / fluent-bit / nodejs18 / grpc installed on the remote CBL Mariner 2.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-31147 advisory. c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and May not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1. (CVE-2023-31147) Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version…Read More

Back to Main

Subscribe for the latest news: