Bug 2007557 (CVE-2021-3807)
| Summary: | CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | Jan Houska <jhouska> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | adsoni, aileenc, akoufoud, alazarot, alcohan, amctagga, amuller, anharris, anjoseph, anpicker, anstephe, anthomas, aoconnor, aos-bugs, asoldano, atangrin, aturgema, bbaranow, bbuckingham, bcoca, bcourt, bdettelb, bibryam, bkearney, bmaxwell, bmontgom, bniver, brian.stansberry, bstansbe, btotty, cdewolf, chazlett, chousekn, darran.lofthouse, davidn, dfediuck, dfreiber, dhanak, dkreling, dlofthou, doconnor, dosoudil, drieden, drosa, drow, dymurray, ehelms, eleandro, eparis, eric.wittmann, erooth, etamir, etirelli, ewittman, extras-orphan, fjuma, flucifre, gblomqui, ggainey, ggaughan, gghezzo, gmalinko, gmeno, gparvin, groman, hbraun, hhorak, hvyas, ibek, ibolton, istudens, ivassile, iweiss, janstey, jbalunas, jburrell, jcammara, jcantril, jhadvig, jhardy, jhouska, jmatthew, jmontleo, jnethert, jobarker, jochrist, jorton, jpallich, jperkins, jprabhak, jramanat, jrokos, jross, jsherril, jstastny, juwatts, jwendell, jwon, krathod, kverlaen, kwills, lgao, lzap, mabashia, manissin, mbenjamin, mhackett, mhulan, michal.skrivanek, mmccune, mnovotny, mosmerov, mperina, msochure, msvehla, myarboro, nbecker, nipatil, nmoumoul, nodejs-maint, nodejs-sig, nstielau, nwallace, ocs-bugs, orabin, osapryki, osousa, pahickey, pantinor, pberan, pcreech, pdelbell, pesilva, pgaikwad, piotr1212, pjindal, pmackay, rcernich, rchan, relrod, rgodfrey, rguimara, rhaigner, rjohnson, rkubis, rpetrell, rrajasek, rstancel, rstepani, rsvoboda, sausingh, sbonazzo, scorneli, sd-operator-metering, sgratch, slucidi, smaestri, smallamp, smcdonal, sostapov, spasquie, sponnaga, sseago, stcannon, tflannag, thjenkin, thrcka, tkuratom, tmalecek, tom.jenkinson, twalsh, tzimanyi, vdosoudi, vereddy, viktor.vix.jancik, vkumar, wtam, yborgess, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-ansi-regex 6.0.1, nodejs-ansi-regex 5.0.1 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-03-03 18:50:00 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2007558, 2007559, 2008375, 2008376, 2008377, 2012330, 2013351, 2013353, 2013354, 2013355, 2013356, 2013357, 2013824, 2013825, 2013826, 2013827, 2013828, 2013829, 2013830, 2013831, 2013832, 2013833, 2013834, 2013835, 2014334, 2014335, 2014336, 2014337, 2014338, 2014339, 2014340, 2014341, 2014342, 2014343, 2014344, 2014345, 2014688, 2014689, 2014690, 2016079, 2020063, 2020064, 2020065, 2020068, 2027638, 2027641, 2027642, 2028389, 2029523, 2029524, 2029525, 2031770, 2031771, 2038298, 2086781, 2086782, 2086784, 2086785, 2124232 | ||
| Bug Blocks: | 2007561 | ||
|
Description
Marian Rehak
2021-09-24 09:17:51 UTC
Created nodejs-ansi-regex tracking bugs for this issue: Affects: epel-7 [bug 2007559] Affects: fedora-33 [bug 2007558] Upstream pull request: https://github.com/chalk/ansi-regex/pull/37 Upstream commit: https://github.com/chalk/ansi-regex/commit/8d1d7cdb586269882c4bdc1b7325d0c58c8f76f9 This issue was introduced in ansi-regex 3.0.0 via this commit: https://github.com/chalk/ansi-regex/commit/69bebf6b8b1ac9b4d70a411109b88bb650972f65 This issue also affects npm and nodejs-nodemon packages, which bundle affected versions of ansi-regex. There are multiple copies of ansi-regex in each of those packages included as their dependencies. Upstream bug report for npm about affected ansi-regex versions bundled with npm: https://github.com/npm/cli/issues/3785 The latest npm version at the time - 8.0.0 - is still affected. The nodejs package are also affected. In addition to including npm with affected ansi-regex versions (see comments above), it also includes a copy of the problematic regular expression in its internal modules: https://github.com/nodejs/node/blob/v14.18.1/lib/internal/util/inspect.js#L201-L208 This regular expression was fixed (using the fix from the ansi-regex module) in nodejs version 16.11.0: https://github.com/nodejs/node/commit/66d310167725dc7785b6cc684f1c3c0b4af8fe6c https://github.com/nodejs/node/pull/40214 This vulnerability is out of security support scope for the following products: * Red Hat AMQ Online Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3807 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:4711 https://access.redhat.com/errata/RHSA-2022:4711 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.6 Via RHSA-2022:4814 https://access.redhat.com/errata/RHSA-2022:4814 This issue has been addressed in the following products: Red Hat Migration Toolkit for Containers 1.7 Via RHSA-2022:5483 https://access.redhat.com/errata/RHSA-2022:5483 This issue has been addressed in the following products: Red Hat Fuse 7.11 Via RHSA-2022:5532 https://access.redhat.com/errata/RHSA-2022:5532 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:5555 https://access.redhat.com/errata/RHSA-2022:5555 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595 This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742 |