It was found that the tough-cookie module is vulnerable to regular expression denial of service. Input of around 50k characters is required for a slow down of around 2 seconds. Unless node was compiled using the -DHTTP_MAX_HEADER_SIZE= option the default header max length is 80kb so the impact of the ReDoS is limited to around 7.3 seconds of blocking. Upstream issue: https://github.com/salesforce/tough-cookie/issues/92 Upstream patch: https://github.com/salesforce/tough-cookie/commit/98e0916d7b017669c93855d831c6e0b19c14141e
Created nodejs-tough-cookie tracking bugs for this issue: Affects: fedora-all [bug 1493991]
Created attachment 1333247 [details] patch
External References: https://nodesecurity.io/advisories/525
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2912 https://access.redhat.com/errata/RHSA-2017:2912
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 6 Red Hat Software Collections for Red Hat Enterprise Linux 6.7 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.3 EUS Via RHSA-2017:2913 https://access.redhat.com/errata/RHSA-2017:2913
RHMAP is vulnerable though use of Request NodeJS library. Need to upgrade to at least 2.83.0
This issue has been addressed in the following products: Red Hat Mobile Application Platform 4.6 Via RHSA-2018:1264 https://access.redhat.com/errata/RHSA-2018:1264
This issue has been addressed in the following products: Red Hat Mobile Application Platform 4.6 Via RHSA-2018:1263 https://access.redhat.com/errata/RHSA-2018:1263
NodeJS is shipped in Openshift Enterprise 3.9 as ImageStreams. Those ImageStreams are the RH Software Collection images. Setting Openshift Enterprise 3 as not affected.
Statement: Red Hat Quay include nodejs-tough-cookie as a build time dependency of protractor. It's no included in the runtime code, and is therefore not affected by this vulnerability.