Bug 1493989 (CVE-2017-15010)
| Summary: | CVE-2017-15010 nodejs-tough-cookie: Regular expression denial of service | ||||||
|---|---|---|---|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Andrej Nemec <anemec> | ||||
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> | ||||
| Status: | CLOSED ERRATA | QA Contact: | |||||
| Severity: | medium | Docs Contact: | |||||
| Priority: | medium | ||||||
| Version: | unspecified | CC: | ahardin, bdettelb, bleanhar, ccoleman, dedgar, dffrench, dmcphers, drusso, hhorak, jgoulding, jkeck, jmadigan, jokerman, jorton, jshepherd, kpiwko, lgriffin, mchappel, ngough, nodejs-sig, pbraun, piotr1212, pwright, rrajasek, tomckay, trepel, zsvetlik | ||||
| Target Milestone: | --- | Keywords: | Security | ||||
| Target Release: | --- | ||||||
| Hardware: | All | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | tough-cookie 2.3.3 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: |
A regular expression denial of service flaw was found in Tough-Cookie. An attacker able to make an application using Touch-Cookie to parse a sufficiently large HTTP request Cookie header could cause the application to consume an excessive amount of CPU.
|
Story Points: | --- | ||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2019-06-08 03:25:58 UTC | Type: | --- | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | 1493991, 1497695, 1497696, 1497700, 1497701, 1566717, 1598163 | ||||||
| Bug Blocks: | 1493992 | ||||||
| Attachments: |
|
||||||
|
Description
Andrej Nemec
2017-09-21 09:43:32 UTC
Created nodejs-tough-cookie tracking bugs for this issue: Affects: fedora-all [bug 1493991] Created attachment 1333247 [details]
patch
External References: https://nodesecurity.io/advisories/525 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2912 https://access.redhat.com/errata/RHSA-2017:2912 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2913 https://access.redhat.com/errata/RHSA-2017:2913 RHMAP is vulnerable though use of Request NodeJS library. Need to upgrade to at least 2.83.0 This issue has been addressed in the following products: Red Hat Mobile Application Platform 4.6 Via RHSA-2018:1264 https://access.redhat.com/errata/RHSA-2018:1264 This issue has been addressed in the following products: Red Hat Mobile Application Platform 4.6 Via RHSA-2018:1263 https://access.redhat.com/errata/RHSA-2018:1263 NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected. Statement: Red Hat Quay include nodejs-tough-cookie as a build time dependency of protractor. It's no included in the runtime code, and is therefore not affected by this vulnerability. |