Bug 1943208 (CVE-2021-23362)
| Summary: | CVE-2021-23362 nodejs-hosted-git-info: Regular Expression denial of service via shortcutMatch in fromUrl() | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | agerstmayr, alegrand, amctagga, anharris, anpicker, aos-bugs, aturgema, bdettelb, bmontgom, bniver, cfeist, cluster-maint, dblechte, dfediuck, eedri, eparis, erooth, extras-orphan, flucifre, gghezzo, gmeno, gparvin, grafana-maint, hhorak, hvyas, idevat, jburrell, jcosta, jhadvig, jokerman, jorton, jramanat, jweiser, jwendell, kakkoyun, kaycoth, kconner, kmalyjur, lcosic, mbenjamin, mgoldboi, mgoodwin, mhackett, michal.skrivanek, micjohns, mlisik, mpospisi, nathans, nodejs-maint, nodejs-sig, nstielau, omular, patrickm, pkrupa, rcernich, sbonazzo, sd-operator-metering, sgratch, sherold, sostapov, sponnaga, stcannon, surbania, swshanka, tflannag, thee, tojeline, tomckay, twalsh, vereddy, viktor.vix.jancik, vmugicag, yturgema, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | hosted-git-info 3.0.8, hosted-git-info 2.8.9 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A regular expression denial of service vulnerability was found in hosted-git-info. If an application allows user input into the affected regular expression (regexp) function, `shortcutMatch` or `fromUrl`, then an attacker could craft a regexp which takes an ever increasing amount of time to process, potentially resulting in a denial of service.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-07-28 01:07:10 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1943210, 1943209, 1943449, 1943450, 1943451, 1943540, 1943541, 1944279, 1944280, 1944281, 1945508, 1945509, 1945510, 1945511, 1945512, 1945513, 1945514, 1945515, 1945516, 1945517, 1945518, 1945519, 1946233, 1946234, 1946235, 1946236, 1946237, 1947741, 1947742, 1947743, 1947744, 1947745, 1952387, 1981755, 1981757, 1991584, 1991585, 1991586, 1991587 | ||
| Bug Blocks: | 1943211 | ||
|
Description
Pedro Sampaio
2021-03-25 15:09:30 UTC
Created nodejs-hosted-git-info tracking bugs for this issue: Affects: epel-7 [bug 1943210] Affects: fedora-all [bug 1943209] Upstream fix: https://github.com/npm/hosted-git-info/commit/bede0dc38e1785e732bf0a48ba6f81a4a908eba3 openshift-enterprise-console-container: Hoisted in several places but these all lead back to dev dependencies, i.e. hosted-git-info->normalize-package-data->read-pkg->node-sass->devDependency or jest. Also grepped the container js for `shortcutMatch` and `defaultRepresentation` and not hits. So marking not affected. grafana components (OCP & OSSM); - "_project_#read-pkg#normalize-package-data" depends on it - Hoisted from "_project_#read-pkg#normalize-package-data#hosted-git-info" - Hoisted from "_project_#lerna#@lerna#create#npm-package-arg#hosted-git-info" - Hoisted from "_project_#lerna#@lerna#version#@lerna#conventional-commits#conventional-changelog-core#get-pkg-repo#hosted-git-info" Looking at read-pkg its still only hoisted from dev deps, like jest, lerna etc. Also ran the container and grepped the webpack bundled code - so not affected. Prometheus component (OCP & OSSM): => Found "hosted-git-info.5" info Reasons this module exists - "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data" depends on it - Hoisted from "eslint-plugin-import#read-pkg-up#read-pkg#normalize-package-data#hosted-git-info" Which is hoisted from react-scripts - Specified in "devDependencies" - Hoisted from "react-scripts#eslint-plugin-import" Which react-script is a prod dep - so filed affected/delegated. Thanos is the same as prometheus, so affected/delegated. For openshift-enterprise-console-container: actually correction, looks like it's hoisted also through patternfly-react so filing bug for it. Statement: While some components do package a vulnerable version of hosted-git-info, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat Advanced Cluster Management for Kubernetes (RHACM) Specifically the following components: - The OCP hive-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Ceph Storage (RHCS) 4 packages a version of nodejs-hosted-git-info which is vulnerable to this flaw in the grafana-container shipped with it. Red Hat Quay includes hosted-git-info as a dependency of karma-coverage which is only used at development time. The hosted-git-info library is not used at runtime so the impact is low for Red Hat Quay. [1] - https://access.redhat.com/solutions/5707561 This should be updated to note that version 2.8.9 of hosted-git-info is now unaffected. Dependabot fixed this issue in drift by bumping version. https://github.com/RedHatInsights/drift-frontend/pull/472 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23362 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2931 https://access.redhat.com/errata/RHSA-2021:2931 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2021:2932 https://access.redhat.com/errata/RHSA-2021:2932 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3073 https://access.redhat.com/errata/RHSA-2021:3073 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:3074 https://access.redhat.com/errata/RHSA-2021:3074 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.2 Extended Update Support Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638 |