Bug 2007557 (CVE-2021-3807) - CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes
Summary: CVE-2021-3807 nodejs-ansi-regex: Regular expression denial of service (ReDoS)...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-3807
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact: Jan Houska
URL:
Whiteboard:
Depends On: 2007559 2008377 2013357 2013824 2013825 2013828 2013831 2013832 2013833 2013834 2013835 2014688 2014689 2016079 2027638 2038298 2007558 2008375 2008376 2012330 2013351 2013353 2013354 2013355 2013356 2013826 2013827 2013829 2013830 2014334 2014335 2014336 2014337 2014338 2014339 2014340 2014341 2014342 2014343 2014344 2014345 2014690 2020063 2020064 2020065 2020068 2027641 2027642 2028389 2029523 2029524 2029525 2031770 2031771 2086781 2086782 2086784 2086785
Blocks: 2007561
TreeView+ depends on / blocked
 
Reported: 2021-09-24 09:17 UTC by Marian Rehak
Modified: 2022-05-31 09:48 UTC (History)
141 users (show)

Fixed In Version: nodejs-ansi-regex 6.0.1, nodejs-ansi-regex 5.0.1
Doc Type: If docs needed, set a value
Doc Text:
A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes.
Clone Of:
Environment:
Last Closed: 2022-03-03 18:50:00 UTC


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2021:5171 0 None None None 2021-12-15 19:28:07 UTC
Red Hat Product Errata RHSA-2022:0041 0 None None None 2022-01-06 18:40:01 UTC
Red Hat Product Errata RHSA-2022:0246 0 None None None 2022-01-25 09:23:52 UTC
Red Hat Product Errata RHSA-2022:0350 0 None None None 2022-02-01 21:14:41 UTC
Red Hat Product Errata RHSA-2022:0735 0 None None None 2022-03-03 06:57:54 UTC
Red Hat Product Errata RHSA-2022:4711 0 None None None 2022-05-26 16:22:16 UTC
Red Hat Product Errata RHSA-2022:4814 0 None None None 2022-05-31 09:48:57 UTC

Description Marian Rehak 2021-09-24 09:17:51 UTC
ansi-regex is vulnerable to Inefficient Regular Expression Complexity

External Reference:

https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994

Comment 1 Marian Rehak 2021-09-24 09:20:11 UTC
Created nodejs-ansi-regex tracking bugs for this issue:

Affects: epel-7 [bug 2007559]
Affects: fedora-33 [bug 2007558]

Comment 4 Tomas Hoger 2021-09-27 18:08:36 UTC
This issue was introduced in ansi-regex 3.0.0 via this commit:

https://github.com/chalk/ansi-regex/commit/69bebf6b8b1ac9b4d70a411109b88bb650972f65

Comment 11 Tomas Hoger 2021-10-13 20:10:27 UTC
This issue also affects npm and nodejs-nodemon packages, which bundle affected versions of ansi-regex.  There are multiple copies of ansi-regex in each of those packages included as their dependencies.

Comment 12 Tomas Hoger 2021-10-13 20:12:33 UTC
Upstream bug report for npm about affected ansi-regex versions bundled with npm:

https://github.com/npm/cli/issues/3785

The latest npm version at the time - 8.0.0 - is still affected.

Comment 13 Tomas Hoger 2021-10-13 20:20:36 UTC
The nodejs package are also affected.  In addition to including npm with affected ansi-regex versions (see comments above), it also includes a copy of the problematic regular expression in its internal modules:

https://github.com/nodejs/node/blob/v14.18.1/lib/internal/util/inspect.js#L201-L208

This regular expression was fixed (using the fix from the ansi-regex module) in nodejs version 16.11.0:

https://github.com/nodejs/node/commit/66d310167725dc7785b6cc684f1c3c0b4af8fe6c
https://github.com/nodejs/node/pull/40214

Comment 21 Jonathan Christison 2021-10-15 16:59:05 UTC
This vulnerability is out of security support scope for the following products:

 * Red Hat AMQ Online

Please refer to https://access.redhat.com/support/policy/updates/jboss_notes for more details.

Comment 37 errata-xmlrpc 2021-12-15 19:28:01 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5171 https://access.redhat.com/errata/RHSA-2021:5171

Comment 41 errata-xmlrpc 2022-01-06 18:39:56 UTC
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:0041 https://access.redhat.com/errata/RHSA-2022:0041

Comment 43 errata-xmlrpc 2022-01-25 09:23:44 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0246 https://access.redhat.com/errata/RHSA-2022:0246

Comment 44 errata-xmlrpc 2022-02-01 21:14:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:0350 https://access.redhat.com/errata/RHSA-2022:0350

Comment 46 errata-xmlrpc 2022-03-03 06:57:47 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:0735 https://access.redhat.com/errata/RHSA-2022:0735

Comment 47 Product Security DevOps Team 2022-03-03 18:49:53 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-3807

Comment 48 errata-xmlrpc 2022-05-26 16:22:08 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:4711 https://access.redhat.com/errata/RHSA-2022:4711

Comment 49 errata-xmlrpc 2022-05-31 09:48:52 UTC
This issue has been addressed in the following products:

  Red Hat Migration Toolkit for Containers 1.6

Via RHSA-2022:4814 https://access.redhat.com/errata/RHSA-2022:4814


Note You need to log in before you can comment on or make changes to this bug.