Bug 1956688 (CVE-2021-23383)

Summary: CVE-2021-23383 nodejs-handlebars: Remote code execution when compiling untrusted compile templates with compat:true option
Product: [Other] Security Response Reporter: Riccardo Schirone <rschiron>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alazarot, aos-bugs, bdettelb, bmontgom, cfeist, cluster-maint, e, emingora, eparis, etirelli, ewolinet, extras-orphan, gghezzo, gparvin, hvyas, ibek, idevat, jburrell, jcantril, jokerman, jramanat, jrokos, jstastny, jweiser, jwendell, kaycoth, kconner, kmalyjur, krathod, kverlaen, mlisik, mnovotny, mpospisi, nodejs-sig, nstielau, omular, piotr1212, pjindal, puebele, rcernich, rguimara, rrajasek, sponnaga, stcannon, thee, tojeline, tomckay, twalsh, tzimanyi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: handlebars 4.7.7 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-handlebars. A unescaped value in the JavaScriptCompiler.prototype.depthedLookup function allows an attacker, who can provide untrusted handlebars templates, to execute arbitrary code in the javascript system (e.g. browser or server) when the template is compiled with the compat:true option. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-06-29 10:41:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1958632, 1883902, 1949679, 1952909, 1956695, 1956696, 1956705, 1956706, 1956870    
Bug Blocks: 1948762    

Description Riccardo Schirone 2021-05-04 08:44:53 UTC 
The package handlebars before 4.7.7 are vulnerable to Remote Code Execution (RCE) when using compat compile option to compile templates coming from an untrusted source.

Upstream patch:
https://github.com/handlebars-lang/handlebars.js/commit/f0589701698268578199be25285b2ebea1c1e427
Comment 1 Riccardo Schirone 2021-05-04 08:49:56 UTC 
This issue is just about the compat:true option.
Comment 2 Riccardo Schirone 2021-05-04 08:59:21 UTC 
Created nodejs-handlebars tracking bugs for this issue:

Affects: epel-7 [bug 1956695]
Affects: fedora-32 [bug 1956696]
Comment 12 Hardik Vyas 2021-05-10 13:09:41 UTC 
Statement:

Red Hat OpenShift Container Platform (OCP) 4 delivers the kibana package which includes Handlebars.js. From OCP 4.6, the kibana package is no longer shipped and will not be fixed. 
The openshift4/ose-logging-kibana6 container includes Handlebars.js directly as container first code.

In OpenShift Container Platform (OCP) and OpenShift ServiceMesh (OSSM) some components include the vulnerable handlebars library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.

Red Hat Quay includes Handlebars.js as a development dependency. It does not use Handlebars.js at runtime to process templates so have been given a low impact rating.

Red Hat Gluster Storage 3 bundles vulnerable Handlebars.js (with pcs), however it does not use "compat" option and templates from external sources, hence this issue has been rated as having a security impact of Low.
Comment 16 errata-xmlrpc 2021-06-29 06:30:35 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.6

Via RHSA-2021:2500 https://access.redhat.com/errata/RHSA-2021:2500
Comment 17 Product Security DevOps Team 2021-06-29 10:41:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23383
Comment 18 errata-xmlrpc 2021-08-06 00:51:14 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 20 errata-xmlrpc 2021-11-17 02:23:05 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.1

Via RHSA-2021:4628 https://access.redhat.com/errata/RHSA-2021:4628
Comment 21 errata-xmlrpc 2021-11-17 03:31:49 UTC 
This issue has been addressed in the following products:

  OpenShift Logging 5.2

Via RHSA-2021:4032 https://access.redhat.com/errata/RHSA-2021:4032
Comment 24 errata-xmlrpc 2023-03-20 09:13:25 UTC 
This issue has been addressed in the following products:

  Red Hat Process Automation

Via RHSA-2023:1334 https://access.redhat.com/errata/RHSA-2023:1334