### Impact
The siftool new command produces predictable UUID identifiers due to insecure randomness in the version of the github.com/satori/go.uuid module used as a dependency.
### Patches
A patch is available in version >= v1.2.1-0.20180404165556-75cca531ea76 of the module. Users are encouraged to upgrade.
Fixed by https://github.com/hpcng/sif/pull/90
### Workarounds
Users passing CreateInfo struct should ensure the ID field is generated using a version of github.com/satori/go.uuid that is not vulnerable to this issue. Unfortunately, the latest tagged release is vulnerable to this issue. One way to obtain a non-vulnerable version is:
go get -u github.com/satori/go.uuid@v1.2.1-0.20180404165556-75cca531ea76
### References
https://github.com/satori/go.uuid/issues/73
### For more information
If you have any questions or comments about this advisory:
Open an issue in https://github.com/hpcng/sif/issues
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
Use of Cryptographically Weak Pseudo-Random Number Generator (PRNG)
See which of your images are affected by this CVE and how to fix them by signing into Docker Scout.
Sign in