Bug 2265161 (CVE-2023-42282)

Summary: CVE-2023-42282 nodejs-ip: arbitrary code execution via the isPublic() function
Product: [Other] Security Response Reporter: Robb Gatica <rgatica>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: aazores, aileenc, amasferr, amctagga, arturo, asoldano, bbaranow, bmaxwell, brian.stansberry, cdewolf, chazlett, cmiranda, darran.lofthouse, dkreling, dosoudil, eaguilar, ebaron, eric.wittmann, fjuma, gmalinko, gparvin, hhorak, ivassile, iweiss, janstey, jcantril, jchui, jkang, jkoehler, jorton, jpallich, jshaughn, jstanek, jwendell, ktsao, lbainbri, lgao, mkudlej, mosmerov, msochure, mstefank, msvehla, mwringe, nbecker, nboldt, njean, nodejs-maint, nwallace, owatkins, pahickey, pantinor, parichar, pcongius, pdelbell, pjindal, pmackay, rcernich, rhaigner, rstancel, rtaniwa, sdawley, sfroberg, shbose, smaestri, tasato, tjochec, tkral, tom.jenkinson, twalsh
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs-ip 1.1.9, nodejs-ip 2.0.1 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in the NPM IP Package. This flaw allows an attacker to perform arbitrary code execution and obtain sensitive information via the isPublic() function by inducing a Server-Side Request Forgery (SSRF) attack and obtaining access to normally inaccessible resources.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2265162, 2265683, 2265684, 2265685, 2265686, 2265687, 2266438, 2267134, 2267135, 2267136, 2267137    
Bug Blocks: 2265682    

Description Robb Gatica 2024-02-20 18:38:08 UTC 
An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the isPublic() function.

https://cosmosofcyberspace.github.io/npm_ip_cve/npm_ip_cve.html
https://github.com/indutny/node-ip
Comment 1 Robb Gatica 2024-02-20 18:38:19 UTC 
Created nodejs-ip tracking bugs for this issue:

Affects: epel-all [bug 2265162]
Comment 2 Patrick Del Bello 2024-02-23 16:12:26 UTC 
Created golang-github-prometheus tracking bugs for this issue:

Affects: epel-all [bug 2265683]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2265684]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2265685]
Comment 6 Sandipan Roy 2024-02-27 04:54:31 UTC 
Statement Added:

It appears that npm does not utilize the bundled code, making it vulnerable.  So Red Hat Enterprise Linux is not affected by this vulnerbility.

While the vulnerability in the NPM IP Package presents a significant security concern, it's categorized as important rather than critical due to several factors. Firstly, the misclassification of the private IP address 0x7f.1 as public by the isPublic() function does not directly lead to remote code execution or unauthorized access to critical systems. Instead, it facilitates SSRF attacks, which typically require additional conditions to fully exploit, such as the ability to influence server-side requests and responses. Additionally, the impact of SSRF attacks can vary depending on the specific environment and configuration of the affected system. While SSRF attacks can potentially lead to data exposure, service disruption, or lateral movement within a network, their severity is often mitigated by factors such as network segmentation, access controls, and the availability of sensitive resources.
Comment 11 arturo 2024-04-01 18:57:50 UTC 
https://access.redhat.com/security/cve/cve-2023-42282
The RedHat CVE shows that the RHEL8 node 18 distribution is `not affected` but when I inspect the base image, the vulnerable version of `ip` 2.0.0 is still installed:
```
MacBook-Pro-2 Desktop % podman run -it -u root --rm registry.access.redhat.com/ubi8/nodejs-18@sha256:cf3b944a5fffa2da8e133583b406004c583dd6e17dfea24825cd3f15f6335ac2 bash 
bash-4.4# cd lib/node_modules/npm/
bash-4.4# cat package.json | grep version
  "version": "10.2.4",
    "libnpmversion": "^5.0.1",
    "libnpmversion",
    "version": "4.19.0",
bash-4.4# cd node_modules/ip
bash-4.4# cat package.json | grep version
  "version": "2.0.0",
bash-4.4# 
```

Is the reason the ubi is not affected due to the statement above?
```
It appears that npm does not utilize the bundled code, making it vulnerable.  So Red Hat Enterprise Linux is not affected by this vulnerbility.
```
Comment 12 Jan Staněk 2024-04-02 12:10:46 UTC 
(In reply to arturo from comment #11)
> https://access.redhat.com/security/cve/cve-2023-42282
> The RedHat CVE shows that the RHEL8 node 18 distribution is `not affected`
> but when I inspect the base image, the vulnerable version of `ip` 2.0.0 is
> still installed:
> ```
> MacBook-Pro-2 Desktop % podman run -it -u root --rm
> registry.access.redhat.com/ubi8/nodejs-18@sha256:
> cf3b944a5fffa2da8e133583b406004c583dd6e17dfea24825cd3f15f6335ac2 bash 
> bash-4.4# cd lib/node_modules/npm/
> bash-4.4# cat package.json | grep version
>   "version": "10.2.4",
>     "libnpmversion": "^5.0.1",
>     "libnpmversion",
>     "version": "4.19.0",
> bash-4.4# cd node_modules/ip
> bash-4.4# cat package.json | grep version
>   "version": "2.0.0",
> bash-4.4# 
> ```
> 
> Is the reason the ubi is not affected due to the statement above?
> ```
> It appears that npm does not utilize the bundled code, making it vulnerable.
> So Red Hat Enterprise Linux is not affected by this vulnerbility.
> ```

From relevant GH discussion (https://github.com/npm/cli/issues/7216#issuecomment-1939569800), the upstream states that NPM cli is not launching any servers (long-running processes) that could be targeted by the SSRF attacks; so while it is present in the package currently, it is not used in an exploitable way.

FYI, further down the discussion it seems that the entire dependency will be dropped in a future release.
Comment 13 arturo 2024-04-02 16:31:15 UTC 
I see, `npm` developers have stated that this is a false positive. However, they did go ahead and patch this so that everyone would stop bugging them about it lol: https://github.com/npm/cli/issues/7216#issuecomment-1959743070 are there any plans to include this fix in the ubi?
Comment 14 Jan Staněk 2024-04-03 13:13:45 UTC 
(In reply to arturo from comment #13)
> I see, `npm` developers have stated that this is a false positive. However,
> they did go ahead and patch this so that everyone would stop bugging them
> about it lol: https://github.com/npm/cli/issues/7216#issuecomment-1959743070
> are there any plans to include this fix in the ubi?

Current plan is to pull the fix via some future upstream release of NodeJS/npm that will contain it. No dedicated rebases are planned.
Comment 15 errata-xmlrpc 2024-06-03 11:53:29 UTC 
This issue has been addressed in the following products:

  HawtIO 4.0.0 for Red Hat build of Apache Camel 4

Via RHSA-2024:3550 https://access.redhat.com/errata/RHSA-2024:3550
Comment 17 errata-xmlrpc 2024-06-17 00:43:54 UTC 
This issue has been addressed in the following products:

  NETWORK-OBSERVABILITY-1.6.0-RHEL-9

Via RHSA-2024:3868 https://access.redhat.com/errata/RHSA-2024:3868
Comment 18 errata-xmlrpc 2024-11-25 18:24:22 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Dev Spaces 3 Containers

Via RHSA-2024:10236 https://access.redhat.com/errata/RHSA-2024:10236