Impact

The nonce values included in Authentication Requests sent by Singularity Enterprise may not contain sufficient entropy as specified by the OpenID Connect Core 1.0 specification, due to a deficiency in the github.com/satori/go.uuid module used to generate nonce values.

Patches

A patch is available in versions 1.2 through 1.6 of Singularity Enterprise, and customers are encouraged to upgrade. The patch is included in the following versions:

  • 1.2.6
  • 1.3.4
  • 1.4.4
  • 1.5.4
  • 1.6.3

Workarounds

No remediation is available, customers are encouraged to upgrade to a patched version.

References

For more information

If you have any questions or comments about this advisory, please contact [email protected].