Bug 1727312 (CVE-2018-3739)

Summary: CVE-2018-3739 nodejs-https-proxy-agent: Unsanitized options passed to Buffer() allow for denial of service
Product: [Other] Security Response Reporter: Laura Pardo <lpardo>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: bdettelb, cbyrne, cmacedo, dffrench, drusso, extras-orphan, hhorak, jmadigan, jorton, jshepherd, ngough, nodejs-maint, nodejs-sig, piotr1212, pwright, rschiron, sfowler, tomckay, trepel
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-https-proxy-agent 2.2.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in https-proxy-agent, prior to version 2.2.0. It was discovered https-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-02-01 08:41:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1727314, 1727792    
Bug Blocks: 1588910    

Description Laura Pardo 2019-07-05 14:14:11 UTC 
https-proxy-agent before 2.2.0 passes auth option to the Buffer constructor without proper sanitization, resulting in DoS and uninitialized memory leak in setups where an attacker could submit typed input to the 'auth' parameter (e.g. JSON).


References:
https://nodesecurity.io/advisories/593
https://hackerone.com/reports/319532
Comment 1 Laura Pardo 2019-07-05 14:14:32 UTC 
Created nodejs-https-proxy-agent tracking bugs for this issue:

Affects: epel-7 [bug 1727314]
Comment 2 Laura Pardo 2019-07-05 14:16:52 UTC 
*** Bug 1576651 has been marked as a duplicate of this bug. ***
Comment 5 Riccardo Schirone 2019-07-08 07:40:14 UTC 
Upstream patch:
https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07
Comment 8 Riccardo Schirone 2019-07-12 15:02:30 UTC 
Lowering Impact to Medium as the attacker needs to submit a number as the `auth` parameter and because in NodeJS version >= 8 the buffer is initialized to 0, so there is no real leak of sensitive data.

The Impact is Denial Of Service (DoS) through consumption of CPU resources or data exposure, though in both NodeJS v8 and v10 (shipped in Red Hat Software Collections and Red Hat Enterprise Linux 8) the data exposure cannot be triggered.
Comment 9 Riccardo Schirone 2019-07-16 08:13:58 UTC 
External References:

https://www.npmjs.com/advisories/593
Comment 10 Product Security DevOps Team 2021-02-01 08:41:48 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-3739
Comment 11 Jason Shepherd 2021-03-22 00:04:01 UTC 
Statement:

This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code.
This issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code.

Red Hat Quay uses nodejs-https-proxy-agent, but only as a development dependency, it is not used at runtime. Therefore we rated this issue as having a low impact for Red Hat Quay.