Bug 2105075 (CVE-2022-31129)
| Summary: | CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Sage McTaggart <amctagga> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | CC: | adudiak, afm404, agerstmayr, aileenc, alazarot, alcohan, amctagga, anjoseph, anstephe, aoconnor, aprice, asoldano, aturgema, aveerama, balejosg, bbaranow, bbuckingham, bcourt, bdettelb, bmaxwell, bmontgom, bniver, boliveir, brian.stansberry, btotty, caswilli, cdewolf, chazlett, cmiranda, crizzo, csnyder, danmick, darran.lofthouse, david, dffrench, dfreiber, dhalasz, dhanak, dkreling, doconnor, dosoudil, drichtar, drow, ecerquei, eclipseo, eglynn, ehelms, emingora, eparis, eric.wittmann, extras-orphan, fedora, fjansen, fjuma, flucifre, ggainey, gmalinko, gmeno, go-sig, gparvin, grafana-maint, gzaronik, hkataria, ibek, idm-ds-dev-bugs, i, istudens, ivassile, iweiss, janstey, jburrell, jcantril, jhadvig, jhnidek, jjoyce, jkoehler, jkoops, jkozol, jochrist, josef, jpavlik, jprabhak, jramanat, jrokos, jsamir, jschatte, jschluet, jshaughn, jsherril, jstephen, juwatts, jvasik, jwendell, jwong, jwon, kaycoth, kkeithle, kshier, kverlaen, lchilton, lemenkov, lgao, lhh, loic, lphiri, lsvaty, lzap, manisandro, manissin, mattias.ellert, mbenjamin, mburns, mgarciac, mgoodwin, mhackett, mhulan, michal.skrivanek, micjohns, mnovotny, mosmerov, mperina, msochure, msvehla, muagarwa, mwringe, nathans, ngough, nipatil, njean, nmoumoul, nobody, nonamedotc, nstielau, nwallace, ocs-bugs, oezr, orabin, owatkins, pahickey, pantinor, pcongius, pcreech, pdelbell, pdrozd, peholase, periklis, pesilva, pgrist, pjindal, ploffay, pmackay, porcelli, pskopek, pviktori, ramkrsna, rareddy, rblanco, rcernich, rchan, rgodfrey, rguimara, rhaigner, rhos-maint, rkubis, rmartinc, rogbas, rojacob, rowaters, rrajasek, rstancel, rstepani, rsvoboda, sbonazzo, scorneli, sfeifer, sgratch, smaestri, smallamp, sostapov, sponnaga, spoore, spower, stcannon, steve, sthirugn, sthorger, teagle, tfujiwar, tom.jenkinson, twalsh, vereddy, vkrizan, vkumar, vmugicag, wtam, yselkowi |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | moment 2.29.4 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-03-28 03:49:09 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2107319, 2106579, 2106580, 2106581, 2106582, 2106583, 2106584, 2108743, 2108744, 2108745, 2108746, 2108747, 2108748, 2108749, 2108750, 2108751, 2108752, 2108753, 2108754, 2108755, 2108756, 2108758, 2108759, 2108760, 2108763, 2108983, 2109073, 2109074, 2109075, 2109076, 2109077, 2109078, 2109079, 2109080, 2109081, 2109082, 2109083, 2110422, 2110845, 2110846, 2110847, 2110848, 2110849, 2110850, 2110851, 2110852, 2110853, 2110854, 2112137, 2112138, 2112139, 2112140, 2112141, 2116712, 2116713, 2126486, 2126488 | ||
| Bug Blocks: | 2105076 | ||
|
Description
Sage McTaggart
2022-07-07 20:26:47 UTC
Why have you CC'ed many people or to exact i18n-bugs list to this bug? In reply to comment #2: > Why have you CC'ed many people or to exact i18n-bugs list to this bug? The default CC list is based off the affects, and is based off who is on the CC list for affected products. I still don't get how moment project CVE is related to i18n packages. The Fedora repository search only shows $ sudo dnf search moment Last metadata expiration check: 4 days, 19:21:18 ago on Thu 07 Jul 2022 12:24:40 PM IST. ==================================================================================== Name Matched: moment ==================================================================================== perl-Time-Moment.x86_64 : Represents a date and time of day with an offset from UTC ================================================================================== Summary Matched: moment =================================================================================== R-FMStable.x86_64 : Finite Moment Stable Distributions Is moment a bundled Javascript library in some nodejs module package in Fedora? You are not authorized to access bug #2105076. Why is python-sig.org in CC for this RHEL bug? Is there something the Fedora SIG can/should do here? In reply to comment #2: > Why have you CC'ed many people or to exact i18n-bugs list to this bug? i18n-bugs is on the initial CC list for the cldr-emoji-annotation component, which was added as possibly affected by this issue. The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources). However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive. In reply to comment #7: > Why is python-sig.org in CC for this RHEL bug? Is there > something the Fedora SIG can/should do here? python-sig is added because of python-notebook, but I do not see why that component was added here as possibly affected. In reply to comment #9: > In reply to comment #7: > > Why is python-sig.org in CC for this RHEL bug? Is there > > something the Fedora SIG can/should do here? > > python-sig is added because of python-notebook, but I do not see why that > component was added here as possibly affected. Sigh, I was checking incorrectly. python-notebook seems to bundle and ship moment in site-packages/notebook/static/components/moment/ (In reply to Tomas Hoger from comment #10) > In reply to comment #9: > > In reply to comment #7: > > > Why is python-sig.org in CC for this RHEL bug? Is there > > > something the Fedora SIG can/should do here? > > > > python-sig is added because of python-notebook, but I do not see why that > > component was added here as possibly affected. > > Sigh, I was checking incorrectly. python-notebook seems to bundle and ship > moment in site-packages/notebook/static/components/moment/ It does, it also provides bundled(moment) = 2.19.3. (In reply to Petr Viktorin from comment #7) > Why is python-sig.org in CC for this RHEL bug? Is there > something the Fedora SIG can/should do here? This is not a RHEL bug, but a tracking bug that covers Fedora, RHEL, EPEL, etc. All the maintainers of all the affected components in all the products are CC'ed here. That includes python-sig.org. > python-sig is added because of python-notebook
I see, thanks. For the future, where can I find the list of affected components?
(In reply to Tomas Hoger from comment #8) > In reply to comment #2: > > Why have you CC'ed many people or to exact i18n-bugs list to this bug? > > i18n-bugs is on the initial CC list for the cldr-emoji-annotation component, > which was added as possibly affected by this issue. The package is > considered to include moment because of moment being listed in > tools/cldr-apps/js/package-lock.json (in sources). However, moment does not > seem to be included in the srpm and also in any binary rpm, hence this looks > like false positive. Thank you for confirming this false positive. In reply to comment #5: > You are not authorized to access bug #2105076. moment is an npm library. Upon running deptopia (depcli -vs moment), we obtained the affects we have here. Here is the output for fedora. fedora-35 ceph (moment@, npm) fedora-35 cockpit-composer (moment.1, npm) fedora-35 cockpit-session-recording (moment.0, npm) fedora-35 couchdb (moment.0, npm) fedora-35 golang-github-apache-beam-2 (moment.0, npm) fedora-35 grafana (moment.0, npm) (and 2 more deps) fedora-35 python-ipyparallel (moment.2, npm) fedora-35 python-notebook (moment.3, None) fedora-35 syncthing (moment.4, None) fedora-35 workrave (moment.1, npm) fedora-35 zuul (moment.0, npm) fedora-36 ceph (moment@, npm) fedora-36 cldr-emoji-annotation (moment.1, npm) fedora-36 cockpit-composer (moment.1, npm) fedora-36 cockpit-session-recording (moment.0, npm) fedora-36 golang-github-apache-beam-2 (moment.0, npm) fedora-36 grafana (moment.0, npm) (and 2 more deps) fedora-36 pgadmin4 (moment.3, npm) fedora-36 python-ipyparallel (moment.2, npm) fedora-36 python-notebook (moment.3, None) fedora-36 subscription-manager-cockpit (moment.1, npm) fedora-36 syncthing (moment.4, None) fedora-36 workrave (moment.1, npm) fedora-36 zuul (moment.0, npm) Created cldr-emoji-annotation tracking bugs for this issue: Affects: fedora-36 [bug 2110850] Created couchdb tracking bugs for this issue: Affects: fedora-35 [bug 2110846] Created golang-github-apache-beam-2 tracking bugs for this issue: Affects: fedora-35 [bug 2110847] Affects: fedora-36 [bug 2110851] Created python-ipyparallel tracking bugs for this issue: Affects: fedora-35 [bug 2110848] Affects: fedora-36 [bug 2110852] Created subscription-manager-cockpit tracking bugs for this issue: Affects: fedora-36 [bug 2110853] Created syncthing tracking bugs for this issue: Affects: epel-8 [bug 2110845] Created workrave tracking bugs for this issue: Affects: fedora-35 [bug 2110849] Affects: fedora-36 [bug 2110854] This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:5913 https://access.redhat.com/errata/RHSA-2022:5913 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:5914 https://access.redhat.com/errata/RHSA-2022:5914 This issue has been addressed in the following products: OSSM-2.2-RHEL-8 Via RHSA-2022:5915 https://access.redhat.com/errata/RHSA-2022:5915 This issue has been addressed in the following products: Red Hat OpenShift Data Foundation 4.11 on RHEL8 Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2022:6271 https://access.redhat.com/errata/RHSA-2022:6271 This issue has been addressed in the following products: OpenShift Service Mesh 2.0 Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272 This issue has been addressed in the following products: OpenShift Service Mesh 2.1 Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.1 for RHEL 8 Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370 This issue has been addressed in the following products: Red Hat Virtualization 4 for Red Hat Enterprise Linux 8 Via RHSA-2022:6392 https://access.redhat.com/errata/RHSA-2022:6392 This issue has been addressed in the following products: Red Hat Virtualization Engine 4.4 Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393 This issue has been addressed in the following products: multicluster engine for Kubernetes 2.0 for RHEL 8 Via RHSA-2022:6422 https://access.redhat.com/errata/RHSA-2022:6422 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8 Via RHSA-2022:6507 https://access.redhat.com/errata/RHSA-2022:6507 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696 This issue has been addressed in the following products: RHPAM 7.13.1 async Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813 This issue has been addressed in the following products: RHINT Service Registry 2.3.0 GA Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835 This issue has been addressed in the following products: Red Hat Openshift distributed tracing 2.6 Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8 Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276 This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8 Via RHSA-2022:7313 https://access.redhat.com/errata/RHSA-2022:7313 This issue has been addressed in the following products: Red Hat Fuse 7.11.1 Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044 This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045 This issue has been addressed in the following products: RHEL-8 based Middleware Containers Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047 This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049 This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 7 Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-31129 This issue has been addressed in the following products: Red Hat Ceph Storage 6.1 Via RHSA-2023:3623 https://access.redhat.com/errata/RHSA-2023:3623 |