ua-parser-js >= 0.7.14, fixed in 0.7.24, uses a regular expression which is vulnerable to denial of service. If an attacker sends a malicious User-Agent header, ua-parser-js will get stuck processing it for an extended period of time. Reference: https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76 Upstream patch: https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
Upstream fix: https://github.com/faisalman/ua-parser-js/commit/809439e20e273ce0d25c1d04e111dcf6011eb566
Dang, the upstream fix was already there. Briefly: Jaeger - depends on ua-parser-js v0.7.19 hoisted from: `"_project_#jaeger-ui#recompose#fbjs" depends on it` OpenShift ServiceMesh - grafana: does not webpack ua-parser-js into the final container (grep the source map/js files for UAParser), and hence is not affected - prometheus: v0.7.20, still uses the legacy ui but the ui is still accessible thru new/graph. However I don't think it's getting packaged as part of the webpack, will confirm in that bug. OCP - prometheus: v2.23.0 doesn't have the ua-parser-js dep - grafana: same as servicemesh, doesn't webpack in ua-parser-js - kibana: is a dep and the container is v0.7.18, rpm is actually 0.7.19 - presto: there is a UI packaged under presto-main (presto-main-328.0.0.redhat-00001.jar) which is hoisted: `"react-dom#fbjs" depends on it`, and is v0.7.18
External References: https://gist.github.com/b-c-ds/6941d80d6b4e694df4bc269493b7be76
Statement: While some components do package a vulnerable version of ua-parser-js, access to them requires OpenShift OAuth credentials and hence have been marked with a Low impact. This applies to the following products: - OpenShift Container Platform (OCP) - OpenShift ServiceMesh (OSSM) - Red Hat OpenShift Jaeger (RHOSJ) - Red Hat OpenShift Logging The OCP presto-container does ship the vulnerable component, however since OCP 4.6 the Metering product has been deprecated [1], set as wont-fix and may be fixed in a future release. Red Hat Advanced Cluster Management for Kubernetes (RHACM) ships graphql-tools that pulls 0.7.23 version of ua-parser-js that uses the affected code. [1] - https://access.redhat.com/solutions/5707561
For OCP, unless we can find a reliable way to get webpack to tell us what it being bundled we're going to rely on yarn list --prod or npm list --prod, and leave the final decision to engineering. Means for this CVE, all grafana containers (except for 3.11) we're marking affected as yarn list --prod is identifying that the ua-parser-js is in use. This also applies for openshift-enterprise-contsole-container.
This issue has been addressed in the following products: Red Hat OpenShift Container Platform 4.8 Via RHSA-2021:2438 https://access.redhat.com/errata/RHSA-2021:2438
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-27292
This issue has been addressed in the following products: Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7 Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8 Via RHSA-2021:3016 https://access.redhat.com/errata/RHSA-2021:3016
This issue has been addressed in the following products: Red Hat OpenShift Jaeger 1.24 Via RHSA-2021:3024 https://access.redhat.com/errata/RHSA-2021:3024
This issue has been addressed in the following products: OpenShift Logging 5.1 Via RHSA-2022:0226 https://access.redhat.com/errata/RHSA-2022:0226
This issue has been addressed in the following products: OpenShift Logging 5.3 Via RHSA-2022:0227 https://access.redhat.com/errata/RHSA-2022:0227
This issue has been addressed in the following products: OpenShift Logging 5.2 Via RHSA-2022:0230 https://access.redhat.com/errata/RHSA-2022:0230