Bug 1739497 (CVE-2019-10744)
Summary: | CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | abonas, ahardin, aileenc, aos-bugs, ataylor, bdettelb, bleanhar, bmontgom, ccoleman, chazlett, dblechte, dedgar, dfediuck, drieden, eedri, eparis, gbrown, ggaughan, gmalinko, hhorak, janstey, jburrell, jcantril, jcosta, jgoulding, jochrist, jokerman, jorton, jross, jwon, kconner, mchappel, mgoldboi, michal.skrivanek, nodejs-maint, nodejs-sig, nstielau, periklis, rcernich, sbonazzo, security-response-team, sgratch, sherold, sponnaga, swshanka, tomckay, yturgema |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | lodash 4.17.12 | Doc Type: | If docs needed, set a value |
Doc Text: |
A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
|
Story Points: | --- |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-10 18:51:07 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 1739502, 1741407, 1741408, 1741409, 1741410, 1753842 | ||
Bug Blocks: | 1739503 |
Description
Marian Rehak
2019-08-09 13:06:14 UTC
Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1739502] This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10744 Jaeger includes multiple references of lodash including versions, 4.17.10 and 4.17.11. Have dropped impact to moderate as whilst Jaeger is vulnerable, it is not directly accessible being protected behind OpenShift authentication - if successfully exploited within Jaeger no privilege boundary will be crossed. Additionally, the defaulsDeep function is not directly called within the Jaeger UI, an exploit vector would have to be found in one of the libraries increasing the difficulty significantly. Also including: - kiali v4.17.4 - servicemesh-grafana v4.17.4 Also keeping impact as Moderate due to Comment #9 This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362 This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:2819 https://access.redhat.com/errata/RHSA-2020:2819 Statement: The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release. https://www.elastic.co/community/security This issue did not affect the versions of rh-nodejs8-nodejs and rh-nodejs10-nodejs as shipped with Red Hat Software Collections. Whilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary. Red Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay. Marking Red Hat Fuse 7 and Red Hat AMQ Broker 7 as having a low impact, this is because both products use Hawtio console which distributes lodash, however the vulnerable defaultsDeep, merge and mergewith functions are not used/available to the attacker directly, adding to this the javascript libraries using lodash are not accessible without authentication for the console itself. This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134 This issue has been addressed in the following products: Red Hat AMQ 7.10.0 Via RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101 |