Bug 1545884 (CVE-2018-3721)

Summary: CVE-2018-3721 lodash: Prototype pollution in utilities function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bdettelb, bleanhar, ccoleman, cpelland, dajohnso, dblechte, dedgar, dfediuck, dffrench, dmcphers, drusso, eedri, gblomqui, gmccullo, gtanzill, hhudgeon, jfrey, jgoulding, jhardy, jkeck, jmadigan, jprause, jshepherd, lgriffin, mgoldboi, michal.skrivanek, ngough, obarenbo, omachace, pwright, rhel8-maint, roliveri, rrajasek, sbonazzo, sgratch, sherold, simaishi, tomckay, trepel, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: lodash 4.17.5 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-08-15 08:47:01 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1545885, 1545886, 1545887, 1549919, 1549920, 1549921    
Bug Blocks: 1545889    

Description Pedro Sampaio 2018-02-15 18:50:28 UTC 
Affected versions of this package are vulnerable to Prototype Pollution. The utilities function allows modification of the Object prototype. If an attacker can control part of the structure passed to this function, they could add or modify an existing property leading to potential denial of service.

Upstream patch:

https://github.com/lodash/lodash/commit/d8e069cc3410082e44eb18fcf8e7f3d08ebe1d4a

References:

https://snyk.io/vuln/npm:lodash:20180130
https://hackerone.com/reports/310443
Comment 1 Pedro Sampaio 2018-02-15 18:50:59 UTC 
Created lodash tracking bugs for this issue:

Affects: fedora-all [bug 1545887]


Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1545885]
Comment 3 Jason Shepherd 2018-02-16 05:18:25 UTC 
Node of the libraries, or services using the lodash in RHMAP call the vulnerable methods with the expection of the _send function in 'sendgrid' version 1.9.1. For 'sendgrid' the parameters passed to 'lodash.merge' are not obtained from user input:

https://github.com/sendgrid/sendgrid-nodejs/blob/967fb3105908617b41b761d3f18bbc623eb4579a/lib/sendgrid.js#L70
Comment 7 Doran Moppert 2019-08-15 03:33:54 UTC 
Statement:

Red Hat CloudForms version 4.7 does not ship component lodash, so isn't affected by this flaw.

Red Hat Virtualization 4.2 EUS includes a vulnerable version of lodash as part of the ovirt-engine-dashboard package. This package has been removed from Red Hat Virtualization 4.3.
Comment 8 Product Security DevOps Team 2019-08-15 08:47:01 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-3721
Comment 10 errata-xmlrpc 2021-10-19 12:10:01 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917