Bug 1954150 (CVE-2021-23382) - CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotation() in lib/previous-map.js
Summary: CVE-2021-23382 nodejs-postcss: ReDoS via getAnnotationURL() and loadAnnotatio...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-23382
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1962025 1949771 1949772 1955219 1955220 1955222 1955224 1956844 1956845 1956846 1956847 1956848 1956849 1962020 1962021 1962022 1962023 1962024 1984059
Blocks: 1954151
TreeView+ depends on / blocked
 
Reported: 2021-04-27 16:57 UTC by Guilherme de Almeida Suckevicz
Modified: 2023-08-31 23:58 UTC (History)
47 users (show)

Fixed In Version: postcss 8.2.13
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss` when using getAnnotationURL() or loadAnnotation() options in lib/previous-map.js. An attacker can use this vulnerability to potentially craft a malicious CSS to process resulting in a denial of service.
Clone Of:
Environment:
Last Closed: 2021-07-28 01:07:29 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:14 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:51:07 UTC
Red Hat Product Errata RHSA-2021:3917 0 None None None 2021-10-19 12:11:12 UTC

Description Guilherme de Almeida Suckevicz 2021-04-27 16:57:56 UTC 
The package postcss before 8.2.13 are vulnerable to Regular Expression Denial of Service (ReDoS) via getAnnotationURL() and loadAnnotation() in lib/previous-map.js. The vulnerable regexes are caused mainly by the sub-pattern \/\*\s* sourceMappingURL=(.*).

Reference:
https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640

Upstream patch:
https://github.com/postcss/postcss/commit/2b1d04c867995e55124e0a165b7c6622c1735956
Comment 1 Przemyslaw Roguski 2021-04-29 16:49:57 UTC 
Upstream PR:
https://github.com/postcss/postcss/pull/1567
Comment 2 Przemyslaw Roguski 2021-04-29 16:50:01 UTC 
External References:

https://snyk.io/vuln/SNYK-JS-POSTCSS-1255640
Comment 8 Przemyslaw Roguski 2021-05-07 08:59:08 UTC 
Statement:

In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.

Red Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.

In Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.
Comment 10 Tapas Jena 2021-05-10 18:58:45 UTC 
Analysis is complete for AAP 1.2 and as a result, I found that none of the AAP components do use the concerned vulnerable functions i.e. getAnnotationURL() and loadAnnotation(). Hence, marking this as "Not Affected" for AAP.
Comment 15 errata-xmlrpc 2021-07-27 22:32:16 UTC 
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
Comment 16 Product Security DevOps Team 2021-07-28 01:07:29 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-23382
Comment 17 errata-xmlrpc 2021-08-06 00:51:04 UTC 
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
Comment 18 errata-xmlrpc 2021-10-19 12:11:09 UTC 
This issue has been addressed in the following products:

  Red Hat Quay 3

Via RHSA-2021:3917 https://access.redhat.com/errata/RHSA-2021:3917
Note You need to log in before you can comment on or make changes to this bug.