CVE-2023-31147

c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
5.9 MEDIUM
NETWORK
HIGH
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: 27%
Affected Products (NVD)
VendorProductVersion
c-ares_projectc-ares
𝑥
< 1.19.1
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
c-ares
bookworm
unimportant
bullseye
unimportant
bullseye (security)
unimportant
sid
1.34.4-2.1
fixed
trixie
1.34.4-1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
c-ares
bionic
not-affected
focal
not-affected
jammy
not-affected
kinetic
not-affected
lunar
not-affected
trusty
ignored
xenial
not-affected
openSUSE logo
openSUSE / SLES Releases
openSUSE Product
Release
c-ares-devel
suse enterprise desktop 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP3
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP7
1.19.1-150000.3.23.1
fixed
libcares2
suse enterprise desktop 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise desktop 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise sap 15 SP7
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP1
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP2
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP3
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP4
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP5
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP6
1.19.1-150000.3.23.1
fixed
suse enterprise server 15 SP7
1.19.1-150000.3.23.1
fixed
nodejs16
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs16-devel
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs16-docs
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
nodejs18
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
nodejs18-devel
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
nodejs18-docs
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
npm16
suse enterprise sap 12
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP3
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP4
16.20.1-8.30.1
fixed
suse enterprise sap 12 SP5
16.20.1-8.30.1
fixed
suse enterprise sap 15 SP4
16.20.1-150400.3.21.1
fixed
suse enterprise server 12
16.20.1-8.30.1
fixed
suse enterprise server 12 SP3
16.20.1-8.30.1
fixed
suse enterprise server 12 SP4
16.20.1-8.30.1
fixed
suse enterprise server 12 SP5
16.20.1-8.30.1
fixed
suse enterprise server 15 SP3
16.20.1-150300.7.24.2
fixed
suse enterprise server 15 SP4
16.20.1-150400.3.21.1
fixed
npm18
suse enterprise sap 12
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP3
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP4
18.16.1-8.9.1
fixed
suse enterprise sap 12 SP5
18.16.1-8.9.1
fixed
suse enterprise sap 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise sap 15 SP5
18.16.1-150400.9.9.1
fixed
suse enterprise server 12
18.16.1-8.9.1
fixed
suse enterprise server 12 SP3
18.16.1-8.9.1
fixed
suse enterprise server 12 SP4
18.16.1-8.9.1
fixed
suse enterprise server 12 SP5
18.16.1-8.9.1
fixed
suse enterprise server 15 SP4
18.16.1-150400.9.9.1
fixed
suse enterprise server 15 SP5
18.16.1-150400.9.9.1
fixed
Red Hat logo
Red Hat Enterprise Linux Releases
Red Hat Product
Release
c-ares
RHEL 9
0:1.19.1-1.el9
fixed
c-ares-devel
RHEL 9
0:1.19.1-1.el9
fixed
nodejs
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-docs
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-full-i18n
RHEL 9
1:16.19.1-2.el9_2
fixed
nodejs-libs
RHEL 9
1:16.19.1-2.el9_2
fixed
npm
RHEL 9
1:8.19.3-1.16.19.1.2.el9_2
fixed
Common Weakness Enumeration
References
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09
https://github.com/c-ares/c-ares/releases/tag/cares-1_19_1
https://github.com/c-ares/c-ares/security/advisories/GHSA-8r8p-23f3-64c2
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/B5Z5XFNXTNPTCBBVXFDNZQVLLIE6VRBY/
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UBFWILTA33LOSV23P44FGTQQIDRJHIY7/
https://security.gentoo.org/glsa/202310-09