Bug 1944286 (CVE-2021-23358)

Summary: CVE-2021-23358 nodejs-underscore: Arbitrary code execution via the template function
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: alegrand, amctagga, anharris, anpicker, bdettelb, bmontgom, bniver, dblechte, dfediuck, djc, eedri, eparis, erooth, flucifre, gghezzo, gmeno, gparvin, hvyas, jburrell, jokerman, jramanat, jweiser, kakkoyun, kaycoth, lcosic, mbenjamin, mgoldboi, mhackett, michal.skrivanek, nodejs-sig, nstielau, pkrupa, puebele, rhcs-maint, sbonazzo, sgratch, sherold, sostapov, sponnaga, stcannon, surbania, tchollingsworth, thee, tomckay, vereddy, virt-maint, vmugicag, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: underscore 1.13.0-2, underscore 1.12.1 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-underscore. Arbitrary code execution via the template function is possible, particularly when a variable property is passed as an argument as it is not sanitized. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-04-28 22:46:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1944288, 1945625, 1944287, 1944399, 1944400, 1944401, 1944525, 1944739, 1944741, 1944904, 1944905, 1945003, 1945004, 1945323, 1945624, 1951619, 1972645, 1972646    
Bug Blocks: 1944289    

Description Pedro Sampaio 2021-03-29 17:15:30 UTC 
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Execution via the template function, particularly when a variable property is passed as an argument as it is not sanitized.

References:

https://github.com/jashkenas/underscore/blob/master/modules/template.js#L71
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1081504
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBJASHKENAS-1081505
https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1081503
https://snyk.io/vuln/SNYK-JS-UNDERSCORE-1080984
Comment 1 Pedro Sampaio 2021-03-29 17:16:07 UTC 
Created nodejs-underscore tracking bugs for this issue:

Affects: epel-7 [bug 1944288]
Affects: fedora-all [bug 1944287]
Comment 6 Cedric Buissart 2021-03-31 06:29:44 UTC 
Upstream fix :
https://github.com/jashkenas/underscore/commit/4c73526d43838ad6ab43a6134728776632adeb66
Comment 18 Borja Tarraso 2021-04-27 09:11:17 UTC 
Statement:

Whilst the OpenShift Container Platform (OCP) openshift4/ose-grafana and openshift3/grafana as well as console, grc-ui and search-ui containers for Red Hat Advanced Management for Kubernetes (RHACM) include the vulnerable underscore library, the access to it is protected by OpenShift OAuth. Additionally this library is used in openshift4/ose-grafana container only in Grafana End-to-End Test package. Therefore the impact by this flaw is reduced to Low and the affected OCP components are marked as "will not fix" at this time and to Moderate for the affected RHACM components. This might be fixed in a future release.

Below Red Hat products include the underscore dependency, but it is not used by the product and hence this issue has been rated as having a security impact of Low.

* Red Hat Quay
* Red Hat Gluster Storage 3
* Red Hat OpenShift Container Storage 4
* Red Hat Ceph Storage 3 and 4
Comment 19 errata-xmlrpc 2021-04-28 17:00:31 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.0 for RHEL 7

Via RHSA-2021:1448 https://access.redhat.com/errata/RHSA-2021:1448
Comment 20 Product Security DevOps Team 2021-04-28 22:46:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23358
Comment 21 errata-xmlrpc 2021-05-04 20:14:42 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499
Comment 23 errata-xmlrpc 2021-07-22 15:11:50 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2865 https://access.redhat.com/errata/RHSA-2021:2865
Comment 26 errata-xmlrpc 2022-09-08 11:28:31 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393