Bug 1685824

Summary: nodejs-handlebars: prototype pollution in object's prototype leading to arbitrary code execution on the server
Product: [Other] Security Response Reporter: msiddiqu
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, cmacedo, dedgar, dffrench, drusso, e, eparis, jburrell, jcantril, jgoulding, jmadigan, jokerman, jshepherd, mchappel, ngough, nodejs-sig, nstielau, piotr1212, pwright, sponnaga, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-handlebars 4.0.13, nodejs-handlebars 4.1.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-27 03:25:51 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1685825, 1685826, 1686671, 1686672    
Bug Blocks: 1685828, 1696523    

Description msiddiqu 2019-03-06 08:24:35 UTC 
handlebars is an extension to the Mustache templating language. Affected versions of this package are vulnerable to Prototype Pollution. Templates may alter an Objects' prototype, thus allowing an attacker to execute arbitrary code on the server.

Upstream issue:
https://github.com/wycats/handlebars.js/issues/1495

Upstream patch:
https://github.com/wycats/handlebars.js/commit/7372d4e9dffc9d70c09671aa28b9392a1577fd86

Reference: 
https://github.com/wycats/handlebars.js/blob/master/release-notes.md
Comment 1 msiddiqu 2019-03-06 08:24:53 UTC 
Created nodejs-handlebars tracking bugs for this issue:

Affects: epel-all [bug 1685826]
Affects: fedora-all [bug 1685825]
Comment 5 Jason Shepherd 2019-03-07 22:57:19 UTC 
Kibana in OpenShift Container Platform (OCP) 3, and 4 ships a vulnerable version of the Handlebars NodeJS library. I've notified the Elastic Security Team about this, and they said they will upgrade the dependency in a future release. It's not fixed as of 5.6.15 and 6.6.1.

Red Hat Product Security have not confirmed this vulnerability is exploitable in OCP 3, or 4 via Kibana.
Comment 8 Jeff Cantrill 2019-03-13 14:18:46 UTC 
(In reply to Jason Shepherd from comment #5)
> Kibana in OpenShift Container Platform (OCP) 3, and 4 ships a vulnerable
> version of the Handlebars NodeJS library. I've notified the Elastic Security
> Team about this, and they said they will upgrade the dependency in a future
> release. It's not fixed as of 5.6.15 and 6.6.1.
> 
> Red Hat Product Security have not confirmed this vulnerability is
> exploitable in OCP 3, or 4 via Kibana.

Will there be confirmation it is exploitable in Kibana before we take on the effort to try and fix.
Comment 10 Doran Moppert 2019-06-06 04:02:56 UTC 
It looks like there have been further fixes to address variants of this vulnerability:

https://github.com/wycats/handlebars.js/issues/1495#issuecomment-482781365
> Version 4.0.14 and 4.1.2 contain fixes for an attack vector that was not considered in 4.1.0 and 4.0.13.
>
> Another more complete fix will follow.

Appears to be referencing:

https://github.com/wycats/handlebars.js/commit/cd38583216dce3252831916323202749431c773e