Bug 1739497 (CVE-2019-10744) - CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function leading to modifying properties
Summary: CVE-2019-10744 nodejs-lodash: prototype pollution in defaultsDeep function le...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2019-10744
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1739502 1741407 1741408 1741409 1741410 1753842
Blocks: 1739503
TreeView+ depends on / blocked
 
Reported: 2019-08-09 13:06 UTC by Marian Rehak
Modified: 2023-05-22 15:24 UTC (History)
47 users (show)

Fixed In Version: lodash 4.17.12
Doc Type: If docs needed, set a value
Doc Text:
A Prototype Pollution vulnerability was found in lodash. Calling certain methods with untrusted JSON could lead to modifying objects up the prototype chain, including the global Object. A crafted JSON object passed to a vulnerable method could lead to denial of service or data injection, with various consequences.
Clone Of:
Environment:
Last Closed: 2019-10-10 18:51:07 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:3024 0 None None None 2019-10-10 15:39:00 UTC
Red Hat Product Errata RHSA-2020:2362 0 None None None 2020-06-02 15:36:23 UTC
Red Hat Product Errata RHSA-2020:2819 0 None None None 2020-07-06 11:59:17 UTC
Red Hat Product Errata RHSA-2021:5134 0 None None None 2021-12-14 21:32:39 UTC
Red Hat Product Errata RHSA-2022:5101 0 None None None 2022-06-16 14:53:55 UTC

Description Marian Rehak 2019-08-09 13:06:14 UTC 
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Upstream Issue:

https://github.com/lodash/lodash/issues/4348
Comment 1 Marian Rehak 2019-08-09 13:23:34 UTC 
Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1739502]
Comment 7 errata-xmlrpc 2019-10-10 15:38:58 UTC 
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.3

Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024
Comment 8 Product Security DevOps Team 2019-10-10 18:51:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-10744
Comment 9 Mark Cooper 2020-04-03 04:44:51 UTC 
Jaeger includes multiple references of lodash including versions, 4.17.10 and 4.17.11.

Have dropped impact to moderate as whilst Jaeger is vulnerable, it is not directly accessible being protected behind OpenShift authentication - if successfully exploited within Jaeger no privilege boundary will be crossed.  

Additionally, the defaulsDeep function is not directly called within the Jaeger UI, an exploit vector would have to be found in one of the libraries increasing the difficulty significantly.
Comment 10 Mark Cooper 2020-04-03 04:53:58 UTC 
Also including: 
    - kiali v4.17.4
    - servicemesh-grafana v4.17.4

Also keeping impact as Moderate due to Comment #9
Comment 16 errata-xmlrpc 2020-06-02 15:36:21 UTC 
This issue has been addressed in the following products:

  Openshift Service Mesh 1.0
  OpenShift Service Mesh 1.0

Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362
Comment 17 errata-xmlrpc 2020-07-06 11:59:11 UTC 
This issue has been addressed in the following products:

  Jaeger-1.17

Via RHSA-2020:2819 https://access.redhat.com/errata/RHSA-2020:2819
Comment 18 Jason Shepherd 2021-03-19 06:38:09 UTC 
Statement:

The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release.

https://www.elastic.co/community/security

This issue did not affect the versions of rh-nodejs8-nodejs and  rh-nodejs10-nodejs  as shipped with Red Hat Software Collections.

Whilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary.

Red Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay.
Comment 22 Jonathan Christison 2021-07-26 15:14:36 UTC 
Marking Red Hat Fuse 7 and Red Hat AMQ Broker 7 as having a low impact, this is because both products use Hawtio console which distributes lodash, however the vulnerable defaultsDeep, merge and mergewith functions are not used/available to the attacker directly, adding to this the javascript libraries using lodash are not accessible without authentication for the console itself.
Comment 23 errata-xmlrpc 2021-12-14 21:32:37 UTC 
This issue has been addressed in the following products:

  Red Hat Fuse 7.10

Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
Comment 24 errata-xmlrpc 2022-06-16 14:53:52 UTC 
This issue has been addressed in the following products:

  Red Hat AMQ 7.10.0

Via RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101
Note You need to log in before you can comment on or make changes to this bug.