Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload. Upstream Issue: https://github.com/lodash/lodash/issues/4348
Created nodejs-lodash tracking bugs for this issue: Affects: epel-all [bug 1739502]
This issue has been addressed in the following products: Red Hat Virtualization Engine 4.3 Via RHSA-2019:3024 https://access.redhat.com/errata/RHSA-2019:3024
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-10744
Jaeger includes multiple references of lodash including versions, 4.17.10 and 4.17.11. Have dropped impact to moderate as whilst Jaeger is vulnerable, it is not directly accessible being protected behind OpenShift authentication - if successfully exploited within Jaeger no privilege boundary will be crossed. Additionally, the defaulsDeep function is not directly called within the Jaeger UI, an exploit vector would have to be found in one of the libraries increasing the difficulty significantly.
Also including: - kiali v4.17.4 - servicemesh-grafana v4.17.4 Also keeping impact as Moderate due to Comment #9
This issue has been addressed in the following products: Openshift Service Mesh 1.0 OpenShift Service Mesh 1.0 Via RHSA-2020:2362 https://access.redhat.com/errata/RHSA-2020:2362
This issue has been addressed in the following products: Jaeger-1.17 Via RHSA-2020:2819 https://access.redhat.com/errata/RHSA-2020:2819
Statement: The lodash dependency is included in OpenShift Container Platform (OCP) by Kibana in the aggregated logging stack. Elastic have issued a security advisory (ESA-2019-10) for Kibana for this vulnerability, and in that advisory stated that no exploit vectors had been identified in Kibana. Therefore we rate this issue as moderate for OCP and may fix this issue in a future release. https://www.elastic.co/community/security This issue did not affect the versions of rh-nodejs8-nodejs and rh-nodejs10-nodejs as shipped with Red Hat Software Collections. Whilst a vulnerable version of lodash has been included in ServiceMesh, the impact is lowered to Moderate due to the library not being directly accessible increasing the attack complexity and the fact that the attacker would need some existing access - meaning the vulnerability is not crossing a privilege boundary. Red Hat Quay imports lodash as a runtime dependency of restangular. The restangular function in use by Red Hat Quay do not use lodash to parse user input. This issue therefore rated moderate impact for Red Hat Quay.
Marking Red Hat Fuse 7 and Red Hat AMQ Broker 7 as having a low impact, this is because both products use Hawtio console which distributes lodash, however the vulnerable defaultsDeep, merge and mergewith functions are not used/available to the attacker directly, adding to this the javascript libraries using lodash are not accessible without authentication for the console itself.
This issue has been addressed in the following products: Red Hat Fuse 7.10 Via RHSA-2021:5134 https://access.redhat.com/errata/RHSA-2021:5134
This issue has been addressed in the following products: Red Hat AMQ 7.10.0 Via RHSA-2022:5101 https://access.redhat.com/errata/RHSA-2022:5101