Bug 1930420 (CVE-2021-23341)

Summary: CVE-2021-23341 nodejs-prismjs: Regular expression denial of service via prism-asciidoc prism-rest prism-tap and prism-eiffel components
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: amctagga, anharris, anpicker, bmontgom, bniver, eparis, erooth, flucifre, gmeno, hvyas, jburrell, jokerman, jwendell, lcosic, mbenjamin, mhackett, nstielau, rcernich, sostapov, sponnaga, surbania, twalsh, vereddy
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-prismjs 1.23.0 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-prismjs. A Regular Expression Denial of Service (ReDoS) is possible via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-10-28 01:16:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1935242    
Bug Blocks: 1930421    

Description Pedro Sampaio 2021-02-18 20:25:56 UTC 
The package prismjs before 1.23.0 are vulnerable to Regular Expression Denial of Service (ReDoS) via the prism-asciidoc, prism-rest, prism-tap and prism-eiffel components.

References:

https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
https://github.com/PrismJS/prism/issues/2583
https://github.com/PrismJS/prism/pull/2584
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1076583
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1076582
https://snyk.io/vuln/SNYK-JS-PRISMJS-1076581
Comment 2 Mark Cooper 2021-02-19 00:50:54 UTC 
Upstream fix: https://github.com/PrismJS/prism/commit/c2f6a64426f44497a675cb32dccb079b3eff1609
Comment 7 Mark Cooper 2021-02-22 00:37:28 UTC 
The OCP grafana-container is read-only and behind OpenShift OAuth, hence it has been marked Low and wontfix.

The OSSM servicemesh-grafana rpm is also installed by default behind OpenShift OAuth, however it is not read-only. Where the syntax highlighting could occur is very limited, that and even if we could find a vulnerable location the vulnerability would be limited to impacting the current user - aka DoS's oneself. If a query or such was vulnerable, a potential attacker would still need to be able to save the malicious query, then somehow get a victim to edit and view the syntax. With the impact potentially limited to the user's client session - i.e. the user visits the 'malicious' syntax displayed, causes the browser tab (depending on browser) to freeze it gets closed move on. Hence OSSM has also been marked Low/wontfix.
Comment 12 Sage McTaggart 2021-03-08 20:41:12 UTC 
Statement:

OpenShift Container Platform (OCP)  and Red Hat Ceph Storage (RHCS) 3 and 4  grafana-container does package a vulnerable verison of prismjs. However due to the instance being read only and behind OpenShift OAuth, it has been given a Low impact. Additionally it has been marked as wont-fix at this time and may be fixed in a future release.

OpenShift ServiceMesh (OSSM)  ncludes a vulnerable version of prismjs. Due to the component being behind OpenShift OAuth and the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact. The OSSM servicemesh-grafana component has been marked as wont-fix at this time and may be fixed in a future release.

Red Hat Ceph Storage RHCS 3 and 4 grafana  includes a vulnerable version of prismjs, however, due to the vulnerability itself being limited to the syntax highlighting within grafana, it has been given a Low impact.  RHCS 3 and 4  have been marked as wont-fix at this time and may be fixed in a future release.