1567228 – (CVE-2018-3737) CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js

Bug 1567228 (CVE-2018-3737) - CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in lib/formats/ssh.js

Summary: CVE-2018-3737 nodejs-sshpk: ReDoS when parsing crafted invalid public keys in...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2018-3737
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1591080 1711730
Blocks:	1567230
TreeView+	depends on / blocked

Reported:	2018-04-13 15:31 UTC by Laura Pardo
Modified:	2021-03-22 04:24 UTC (History)
CC List:	25 users (show)
Fixed In Version:	sshpk 1.14.1, sshpk 1.3.2
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-19 05:20:25 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:2625	0	None	None	None	2020-06-19 03:44:15 UTC

Description Laura Pardo 2018-04-13 15:31:34 UTC

A flaw was found in sshpk versions before 1.14.1. The regular expressions used for parsing OpenSSH-format public keys in sshpk are resulting in exponential increases in runtime when parsing maliciously constructed inputs.


References:
https://github.com/joyent/node-sshpk/issues/44

Pacth:
https://github.com/joyent/node-sshpk/commit/46065d38a5e6d1bccf86d3efb2fb83c14e3f9957

Comment 2 Sam Fowler 2018-06-08 05:02:01 UTC

Reference:

https://hackerone.com/reports/319593

Comment 7 errata-xmlrpc 2020-06-19 03:44:11 UTC

This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2020:2625 https://access.redhat.com/errata/RHSA-2020:2625

Comment 8 Product Security DevOps Team 2020-06-19 05:20:25 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2018-3737

Comment 9 Jason Shepherd 2021-03-22 02:18:50 UTC

Statement:

Red Hat Quay includes sshpk as a dependency of protractor which is only used during a build. The sshpk dependency is not used at runtime therefore this vulnerability has a low impact for Red Hat Quay.

Note You need to log in before you can comment on or make changes to this bug.

bdettelb
dblechte
dfediuck
dffrench
drusso
eedri
hhorak
jmadigan
jorton
jshepherd
jupittma
lgriffin
mgoldboi
michal.skrivanek
ngough
omachace
pwright
rrajasek
sbonazzo
sgratch
sherold
tomckay
trepel
yturgema
zsvetlik