Bug 1388494

Summary: nodejs-moment: Regular expression denial of service
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bkearney, meissner, taw, tchollingsworth, thomas, tkasparek, tlestach
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-moment 2.15.2 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-10 20:00:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1388495    
Bug Blocks: 1388497    

Description Andrej Nemec 2016-10-25 13:48:53 UTC 
moment is a lightweight JavaScript date library for parsing, validating, manipulating, and formatting dates.

Affected versions of the package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks for any locale that has separate format and standalone options and format input can be controlled by the user.

An attacker can provide a specially crafted input to the format function, which nearly matches the pattern being matched. This will cause the regular expression matching to take a long time, all the while occupying the event loop and preventing it from processing other requests and making the server unavailable (a Denial of Service attack).

External References:

https://snyk.io/vuln/npm:moment:20161019

Upstream patch:

https://github.com/moment/moment/commit/663f33e333212b3800b63592cd8e237ac8fabdb9
Comment 1 Andrej Nemec 2016-10-25 13:49:19 UTC 
Created nodejs-moment tracking bugs for this issue:

Affects: fedora-all [bug 1388495]
Comment 2 Kurt Seifried 2017-01-10 20:00:14 UTC 
Statement:

This issue affects the versions of nodejs-moment as shipped with Red Hat Satellite version 5. Red Hat Product Security has rated this issue as having Moderate security impact. A future update may address this issue. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.