Bug 1547272 (CVE-2018-1109)
| Summary: | CVE-2018-1109 nodejs-braces: Regular Expression Denial of Service (ReDoS) in lib/parsers.js | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | ahardin, bdettelb, bleanhar, ccoleman, dedgar, dffrench, dmcphers, drusso, hhorak, jgoulding, jkeck, jmadigan, jokerman, jorton, jshepherd, jsmith.fedora, kseifried, lgriffin, mchappel, ngough, pwright, rrajasek, thrcka, tjay, tomckay, trepel, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | braces 2.3.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A vulnerability was found in nodejs-braces. Affected versions of this package are vulnerable to Regular expression Denial of Service (ReDoS) attacks. The highest threat from this vulnerability is system availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-06-29 20:48:27 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1566711, 1596764 | ||
| Bug Blocks: | 1547276, 1944342 | ||
The 'braces' library is included in RHMAP, fh-ngui by the 'watchify' library. It doesn't accept user input to the string being matched by the vulnerable regular expression. Marking RHMAP as not affected. NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected. The problematic regular expression was added as an optimization in version 2.2.0 via the following commit: https://github.com/micromatch/braces/commit/dcc1acab4de9a43e86ab4be4acde209ff1dca113 Therefore, this issue is not applicable to older braces versions. The nodejs-braces was added to Fedora 28, using affected upstream version 2.2.2. Rawhide / F29 already has fixed upstream version 2.3.2. Created nodejs-braces tracking bugs for this issue: Affects: fedora-28 [bug 1596764] Statement: Red Hat Quay includes braces as a dependency of webpack. Braces is only used at build time, not at runtime, reducing the impact of this vulnerability to low. This issue has been addressed in the following products: Red Hat Quay 3 Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917 |
A vulnerability was found in Braces versions prior to 2.3.1. Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks. It used a regular expression (^\{(,+(?:(\{,+\})*),*|,*(?:(\{,+\})*),+)\}) in order to detects empty braces. This can cause an impact of about 10 seconds matching time for data 50K characters long. Upstream Patch: https://github.com/micromatch/braces/commit/abdafb0cae1e0c00f184abbadc692f4eaa98f451 External References: https://snyk.io/vuln/npm:braces:20180219