Bug 1944822 (CVE-2021-29418)

Summary: CVE-2021-29418 nodejs-netmask: incorrectly parses an IP address that has octal integer with invalid character
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: extras-orphan, gghezzo, gparvin, jramanat, jweiser, nodejs-sig, stcannon, thee
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-netmask 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-04 20:33:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1944823, 1944824, 1945796, 1945797, 1945798, 1945799, 1946344    
Bug Blocks: 1944830    

Description Guilherme de Almeida Suckevicz 2021-03-30 17:55:46 UTC 
The netmask package before 2.0.1 for Node.js mishandles certain unexpected characters in an IP address string, such as an octal digit of 9. This (in some situations) allows attackers to bypass access control that is based on IP addresses. NOTE: this issue exists because of an incomplete fix for CVE-2021-28918.

Reference:
https://vuln.ryotak.me/advisories/6.txt

Upstream patch:
https://github.com/rs/node-netmask/commit/3f19a056c4eb808ea4a29f234274c67bc5a848f4
Comment 1 Guilherme de Almeida Suckevicz 2021-03-30 17:56:12 UTC 
Created nodejs-netmask tracking bugs for this issue:

Affects: epel-7 [bug 1944824]
Affects: fedora-32 [bug 1944823]
Comment 3 Jan Werner 2021-04-20 20:00:10 UTC 
Statement:

The impact of this flaw largely depends on the environment where the affected library is being used. This flaw could be used to redirect an adversary to an exposed, unprotected endpoint. Depending on the functionality of the affected endpoint that could result in a loss of confidentiality, integrity and availability. The affected library is used in Red Hat Advanced Cluster Management for Kubernetes only in the development and build processes. Consequently the severity of this flaw to RHACM is downgraded to low.
Comment 4 Jan Werner 2021-04-20 20:00:12 UTC 
External References:

https://sick.codes/universal-netmask-npm-package-used-by-270000-projects-vulnerable-to-octal-input-data-server-side-request-forgery-remote-file-inclusion-local-file-inclusion-and-more-cve-2021-28918
Comment 5 errata-xmlrpc 2021-05-04 20:14:41 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1499 https://access.redhat.com/errata/RHSA-2021:1499
Comment 6 Product Security DevOps Team 2021-05-04 20:33:42 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-29418
Comment 7 errata-xmlrpc 2021-08-06 00:50:47 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016