Bug 1727312 (CVE-2018-3739)
Summary: | CVE-2018-3739 nodejs-https-proxy-agent: Unsanitized options passed to Buffer() allow for denial of service | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Laura Pardo <lpardo> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | bdettelb, cbyrne, cmacedo, dffrench, drusso, extras-orphan, hhorak, jmadigan, jorton, jshepherd, ngough, nodejs-maint, nodejs-sig, piotr1212, pwright, rschiron, sfowler, tomckay, trepel |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | nodejs-https-proxy-agent 2.2.0 | Doc Type: | If docs needed, set a value |
Doc Text: |
A flaw was found in https-proxy-agent, prior to version 2.2.0. It was discovered https-proxy-agent passes an auth option to the Buffer constructor without proper sanitization. This could result in a Denial of Service through the usage of all available CPU resources and data exposure through an uninitialized memory leak in setups where an attacker could submit typed input to the auth parameter.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2021-02-01 08:41:48 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1727314, 1727792 | ||
Bug Blocks: | 1588910 |
Description
Laura Pardo
2019-07-05 14:14:11 UTC
Created nodejs-https-proxy-agent tracking bugs for this issue: Affects: epel-7 [bug 1727314] *** Bug 1576651 has been marked as a duplicate of this bug. *** Upstream patch: https://github.com/TooTallNate/node-https-proxy-agent/commit/1c24219df87524e6ed973127e81f30801d658f07 Lowering Impact to Medium as the attacker needs to submit a number as the `auth` parameter and because in NodeJS version >= 8 the buffer is initialized to 0, so there is no real leak of sensitive data. The Impact is Denial Of Service (DoS) through consumption of CPU resources or data exposure, though in both NodeJS v8 and v10 (shipped in Red Hat Software Collections and Red Hat Enterprise Linux 8) the data exposure cannot be triggered. External References: https://www.npmjs.com/advisories/593 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2018-3739 Statement: This issue did not affect the versions of nodejs as shipped with Red Hat Enterprise Linux 8 as they already include the patched code. This issue did not affect the versions of rh-nodejs10-nodejs as shipped with Red Hat Software Collections 3 as they already include the patched code. Red Hat Quay uses nodejs-https-proxy-agent, but only as a development dependency, it is not used at runtime. Therefore we rated this issue as having a low impact for Red Hat Quay. |