Bug 2066009 (CVE-2021-44906)
| Summary: | CVE-2021-44906 minimist: prototype pollution | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Nick Tait <ntait> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | aboyko, aileenc, akostadi, alazarot, amackenz, amasferr, amctagga, amuller, anjoseph, anpicker, anstephe, anthomas, aos-bugs, aschwart, asoldano, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, bmontgom, boliveir, brian.stansberry, btotty, cbartlet, cdewolf, chazlett, darran.lofthouse, dfreiber, dhanak, dkreling, dmayorov, doconnor, dosoudil, drieden, drow, dwhatley, dymurray, ecerquei, ehelms, emingora, eparis, erooth, etirelli, extras-orphan, fjuma, ggainey, gmalinko, hhorak, ibek, ibolton, ikanias, istudens, ivassile, iweiss, janstey, jary, jburrell, jcantril, jhadvig, jlledo, jmatthew, jmontleo, jochrist, jokerman, jorton, jprabhak, jrokos, jsherril, jstastny, juwatts, jwendell, jwon, krathod, kverlaen, lgao, lzap, manissin, mhulan, michal.skrivanek, mkudlej, mmakovy, mmccune, mnovotny, mosmerov, mperina, mpoole, mposolda, mrunge, msochure, msvehla, myarboro, nmoumoul, nodejs-maint, nodejs-sig, nstielau, nwallace, orabin, osousa, ovanders, pcreech, pdelbell, pdrozd, periklis, pesilva, pgaikwad, pjindal, pmackay, porcelli, pskopek, rcernich, rchan, rguimara, rjohnson, rkshirsa, rojacob, rrajasek, rravi, rstancel, rstepani, rsvoboda, sbonazzo, sd-operator-metering, sgallagh, sgratch, slucidi, smaestri, smallamp, spasquie, sponnaga, sseago, ssilvert, sthorger, stulshan, tchollingsworth, teagle, tflannag, thrcka, tjochec, tohughes, tom.jenkinson, tzimanyi, vkumar, vmuzikar, wtam, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | minimist 1.2.6 | Doc Type: | If docs needed, set a value |
| Doc Text: |
An Uncontrolled Resource Consumption flaw was found in minimist. The original fix for CVE-2020-7598 was incomplete as it was still possible to bypass in some cases. This flaw (CVE-2021-44906) allows an attacker to trick the library into adding or modifying the properties of Object.prototype, using a constructor or __proto__ payload, resulting in prototype pollution and loss of confidentiality, availability, and integrity.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-06 00:15:30 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2071501, 2073584, 2071497, 2071498, 2071499, 2071500, 2071502, 2073583, 2073585, 2073596, 2073597, 2073598, 2073599, 2087170, 2125374, 2125375, 2125376, 2125377, 2125378, 2125379, 2125380, 2148958, 2148959, 2148960, 2148966, 2148970, 2148973, 2148974, 2148975, 2148976, 2148977, 2148978, 2148979 | ||
| Bug Blocks: | 2066010 | ||
|
Description
Nick Tait
2022-03-19 23:06:18 UTC
Upstream bug page: https://github.com/substack/minimist/issues/164 Created nodejs tracking bugs for this issue: Affects: fedora-all [bug 2073585] Created nodejs-minimist tracking bugs for this issue: Affects: epel-all [bug 2073584] Affects: fedora-all [bug 2073583] This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:1739 https://access.redhat.com/errata/RHSA-2022:1739 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44906 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 8 Via RHSA-2022:5893 https://access.redhat.com/errata/RHSA-2022:5893 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7 Via RHSA-2022:5892 https://access.redhat.com/errata/RHSA-2022:5892 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.4 for RHEL 9 Via RHSA-2022:5894 https://access.redhat.com/errata/RHSA-2022:5894 This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform Via RHSA-2022:5928 https://access.redhat.com/errata/RHSA-2022:5928 This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.11 Via RHSA-2022:5069 https://access.redhat.com/errata/RHSA-2022:5069 This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044 This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:0050 https://access.redhat.com/errata/RHSA-2023:0050 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:0321 https://access.redhat.com/errata/RHSA-2023:0321 I'm investigating some flaws that came up on a customer's vuln scanner. This one was especially flagged because there is a big disparity between CVSS and impact rating but no justification (CVSS comment or statement) provided. I've re-evaluated this flaw and come to the conclusion that our rating was significantly wrong. As a result I am now revising the impact (from moderate to critical) and CVSS (5.6 to 9.8) long after work began on a flaw. As this is an unusual situation, I am listing my reasoning here: * The analyst who owned this flaw no longer works here, so I can't ask them to provide justification of the initial lower score. * Both upstream and NVD agree on a 9.8 CVSS - making it Critical impact. * The Upstream and NVD advisories link to a SNYK advisory, but this is for a DIFFERENT CVE! That link is now at least tagged as "Not Applicable" on NVD. My guess is that whoever published this CVE accidentally linked to an incorrect page which contributed to this mixup in the first place. * There also seems to be something wrong on SNYK's advisory. On the right side of https://security.snyk.io/vuln/SNYK-ROCKY8-NODEJSPACKAGING-3195467 (which does associate with this CVE) it shows a SNYK CVSS of simply "MEDIUM". Immediately underneath that it indicates the NVD rating is "9.8 CRITICAL". The problem is that expanding details for both show *identical* sub-score picks (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H). * It seems that the organization behind minimist was renamed/restructured causing loss of some data. The upstream issue page on GitHub no longer exists. The new location for the repo appears to be https://github.com/minimistjs/minimist whereas the old one was https://github.com/substack/minimist. I haven't found any cached copies of the issue page. Honestly, I feel lucky that the GitHub security advisory still exists :| * With the very limited remaining information, I don't see any reason to keep the impact so low. (In reply to Nick Tait from comment #40) Hi Nick, While this might be issue for miniminst on itself, could you please take closer look at Node.js / Nodemon, which bundles these libraries? I'd be surprised if the bug is exploitable there and it would justified the change from Medium to Critical. Closer analysis would help us to determine how important might be the fixes in EUS releases for Node.js / Nodemon. These are the tickets in question: https://bugzilla.redhat.com/buglist.cgi?quicksearch=2148973%2C2148979%2C2148977%2C2148975%2C2148970%2C2148959%2C2148960&list_id=13085826 Thx for your help @ntait since you have changed the rating back to medium, are you going to update also the trackers? (In reply to Vít Ondruch from comment #42) > @ntait since you have changed the rating back to medium, are you > going to update also the trackers? Oh, they were updates, I have just not noticed. Thx and sorry for the noise Vit, after getting strong reactions from a number of sources (including customers) I realized just how a terrible choice I had made. Worked with my team on writing a justification then restored the impact rating. My apologies to engineering for all the chaos and extra spam that I caused. Your initial question was valid, no worries! (In reply to Nick Tait from comment #44) No need for apologies. Thank you for your hard work. This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2023:0612 https://access.redhat.com/errata/RHSA-2023:0612 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2023:1533 https://access.redhat.com/errata/RHSA-2023:1533 This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742 Hello team, I see an OpenShift component is shown 'affected' but the status is shown 'Fix deferred'. Red Hat OpenShift Container Platform 4 openshift4/ose-metering-hadoop Fix deferred. Can someone please tell me that it's rejected by Red Hat and also any particular reason? This would help us assist the CU better. Thanks in advance. This issue has been addressed in the following products: Red Hat JBoss Enterprise Application Platform 7.3 EUS for RHEL 7 Via RHSA-2025:1747 https://access.redhat.com/errata/RHSA-2025:1747 |