Bug 1940613 (CVE-2021-27292)
| Summary: | CVE-2021-27292 nodejs-ua-parser-js: ReDoS via malicious User-Agent header | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | alegrand, amctagga, anharris, anpicker, aos-bugs, bmontgom, bniver, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, hvyas, jburrell, jcantril, jcosta, jhadvig, jokerman, jramanat, jweiser, jwendell, kakkoyun, kaycoth, kconner, lcosic, mbenjamin, mcooper, mhackett, nstielau, pkrupa, rcernich, sd-operator-metering, sostapov, sponnaga, stcannon, surbania, swshanka, tflannag, thee, twalsh, vereddy |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | ua-parser-js 0.7.24 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A regular expression denial of service (ReDoS) vulnerability was found in the npm library `ua-parser-js`. If a supplied user agent matches the `Noble` string and contains many spaces then the regex will conduct backtracking, taking an ever increasing amount of time depending on the number of spaces supplied. An attacker can use this vulnerability to potentially craft a malicious user agent resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-28 01:07:01 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1941718, 1941719, 1941720, 1880981, 1941643, 1941644, 1941715, 1941716, 1941717, 1941838, 1941839, 1942019, 1943995, 1943996, 1944182 | ||
| Bug Blocks: | 1940615 | ||
|
Description
Guilherme de Almeida Suckevicz
2021-03-18 17:56:49 UTC
Upstream fix: https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566 Dang, the upstream fix was already there. Briefly: Jaeger - depends on ua-parser-js v0.7.19 hoisted from: `"_project_#jaeger-ui#recompose#fbjs" depends on it` OpenShift ServiceMesh - grafana: does not webpack ua-parser-js into the final container (grep the source map/js files for UAParser), and hence is not affected - prometheus: v0.7.20, still uses the legacy ui but the ui is still accessible thru new/graph. However I don't think it's getting packaged as part of the webpack, will confirm in that bug. OCP - prometheus: v2.23.0 doesn't have the ua-parser-js dep - grafana: same as servicemesh, doesn't webpack in ua-parser-js - kibana: is a dep and the container is v0.7.18, rpm is actually 0.7.19 - presto: there is a UI packaged under presto-main (presto-main-328.0.0.redhat-00001.jar) which is hoisted: `"react-dom#fbjs" depends on it`, and is v0.7.18 External References: https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 Statement: While some components do package a vulnerable version of ua-parser-js, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat OpenShift Jaeger (RHOSJ) - Red Hat OpenShift Logging The OCP presto-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Advanced Cluster Management for Kubernetes (RHACM) ships graphql-tools that pulls 0.7.23 version of ua-parser-js that uses the affected code. [1] - https://access.redhat.com/solutions/5707561 For OCP, unless we can find a reliable way to get webpack to tell us what it being bundled we're going to rely on yarn list --prod or npm list --prod, and leave the final decision to engineering. Means for this CVE, all grafana containers (except for 3.11) we're marking affected as yarn list --prod is identifying that the ua-parser-js is in use. This also applies for openshift-enterprise-contsole-container. This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27292 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.24 Via RHSA-2021:3024 https://access.redhat.com/errata/RHSA-2021:3024 This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2022:0226 https://access.redhat.com/errata/RHSA-2022:0226 This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:0227 https://access.redhat.com/errata/RHSA-2022:0227 This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2022:0230 https://access.redhat.com/errata/RHSA-2022:0230 |