Bug 1918162 (CVE-2020-28477)

Summary: CVE-2020-28477 nodejs-immer: prototype pollution may lead to DoS or remote code execution
Product: [Other] Security Response Reporter: Marian Rehak <mrehak>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alegrand, anpicker, bmontgom, dfediuck, dramseur, eedri, emarcus, eparis, erooth, gghezzo, gparvin, jburrell, jhunter, jokerman, jramanat, jshaughn, jweiser, jwendell, kakkoyun, kconner, kmitts, lcosic, mgala, mgoldboi, michal.skrivanek, mjudeiki, nstielau, pkrupa, rcernich, sbonazzo, sgratch, sherold, sponnaga, stcannon, surbania, thee, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-immer 8.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-14 16:46:46 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1918654, 1925117    
Bug Blocks: 1918163    

Description Marian Rehak 2021-01-20 08:36:40 UTC 
When the source object contains a property named _proto_ defined with Object.defineProperty() , the condition that checks if the property exists and is an object on both the target and the source passes and the merge recurses with the target, being the prototype of Object and the source of Object as defined by the attacker. Properties are then copied on the Object prototype.

Reference:

https://github.com/immerjs/immer/blob/master/src/plugins/patches.ts%23L213
https://snyk.io/vuln/SNYK-JS-IMMER-1019369
Comment 3 Stoyan Nikolov 2021-01-21 10:25:44 UTC 
Upstream Fix: https://github.com/immerjs/immer/commit/da2bd4fa0edc9335543089fe7d290d6a346c40c5
Comment 5 Przemyslaw Roguski 2021-01-21 12:20:32 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-IMMER-1019369
Comment 11 Przemyslaw Roguski 2021-02-04 12:57:12 UTC 
Statement:

Red Hat Virtualization includes affected version of nodejs-immer, however the usage does not meet the conditions required to exploit the flaw, therefore the impact is Low.

In OpenShift Container Platform 4.6 (OCP) the openshift4/ose-prometheus container ships the vulnerable version of the nodejs-immer, however the Prometheus react-ui is disabled, hence this flaw cannot be exploited. As openshift4/ose-prometheus container still packages the vulnerable code, this component is affected with impact Low. This may be fixed in a future release.
Comment 15 errata-xmlrpc 2021-04-14 11:39:52 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:1169 https://access.redhat.com/errata/RHSA-2021:1169
Comment 16 Product Security DevOps Team 2021-04-14 16:46:46 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28477