Bug 1928937 (CVE-2021-23337)

Summary: CVE-2021-23337 nodejs-lodash: command injection via template
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, alegrand, anpicker, anstephe, aos-bugs, aturgema, bdettelb, bmontgom, chousekn, cmeyers, davidn, dfediuck, dwhatley, dymurray, eedri, emingora, eparis, erooth, etirelli, extras-orphan, gblomqui, gghezzo, gparvin, ibek, ibolton, jburrell, jcantril, jcosta, jhadvig, jhardy, jmatthew, jmontleo, jokerman, jramanat, jrokos, jshaughn, jstastny, jweiser, jwendell, kakkoyun, kaycoth, kconner, krathod, kverlaen, lcosic, mabashia, mcooper, mgoldboi, michal.skrivanek, mnovotny, nodejs-sig, notting, nstielau, osapryki, pjindal, pkrupa, rcernich, rguimara, rpetrell, rrajasek, sbonazzo, sd-operator-metering, sgratch, sherold, slucidi, smcdonal, sponnaga, sseago, stcannon, surbania, swshanka, tflannag, thee, tomckay, twalsh, tzimanyi, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-lodash-4.17.21 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-lodash. A command injection flaw is possible through template variables.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-13 06:39:02 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1946164, 1928938, 1928939, 1930138, 1930139, 1930140, 1930141, 1930142, 1930143, 1930144, 1930145, 1930146, 1930147, 1931267, 1931268, 1931269, 1931270, 1931271, 1931272, 1931273, 1931274, 1931275, 1937751, 1937752, 1937753, 1938272, 1938273, 2110861    
Bug Blocks: 1928940    

Description Guilherme de Almeida Suckevicz 2021-02-15 20:21:31 UTC 
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Command Injection via template.

Reference:
https://snyk.io/vuln/SNYK-JS-LODASH-1040724
Comment 1 Guilherme de Almeida Suckevicz 2021-02-15 20:22:04 UTC 
Created lodash tracking bugs for this issue:

Affects: fedora-32 [bug 1928939]


Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1928938]
Comment 2 Jason Shepherd 2021-02-16 00:18:15 UTC 
While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable template function.
Comment 4 Mark Cooper 2021-02-18 01:16:02 UTC 
Upstream fix: https://github.com/lodash/lodash/pull/5085/commits/23125079fc43ece274c0e3a49a644ae2dae8b1d3 [not merged yet]
Comment 11 Jason Shepherd 2021-02-22 00:08:33 UTC 
Upstream Commit:

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Comment 12 Jason Shepherd 2021-02-22 00:13:42 UTC 
Upstream Commit:

https://github.com/lodash/lodash/commit/3469357cff396a26c363f8c1b5a91dde28ba4b1c
Comment 16 Stoyan Nikolov 2021-03-23 13:04:42 UTC 
Statement:

In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is Low.

While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable template function.

While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable template function.
Comment 19 errata-xmlrpc 2021-04-13 00:09:36 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168
Comment 20 Product Security DevOps Team 2021-04-13 06:39:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23337
Comment 22 errata-xmlrpc 2021-06-01 13:22:08 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2179 https://access.redhat.com/errata/RHSA-2021:2179
Comment 23 errata-xmlrpc 2021-06-24 15:20:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543
Comment 24 errata-xmlrpc 2021-07-27 22:31:46 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 25 Jan Werner 2021-07-29 14:21:13 UTC 
updated the public date - originally it was incorrectly set to 2019. Thanks @btarasso
Comment 26 errata-xmlrpc 2021-08-06 00:50:09 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 27 errata-xmlrpc 2021-09-08 14:11:19 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3459 https://access.redhat.com/errata/RHSA-2021:3459
Comment 30 errata-xmlrpc 2022-09-13 00:58:20 UTC 
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.7

Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429