Bug 2105075 (CVE-2022-31129) - CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
Summary: CVE-2022-31129 moment: inefficient parsing algorithm resulting in DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-31129
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2107319 2106579 2106580 2106581 2106582 2106583 2106584 2108743 2108744 2108745 2108746 2108747 2108748 2108749 2108750 2108751 2108752 2108753 2108754 2108755 2108756 2108758 2108759 2108760 2108763 2108983 2109073 2109074 2109075 2109076 2109077 2109078 2109079 2109080 2109081 2109082 2109083 2110422 2110845 2110846 2110847 2110848 2110849 2110850 2110851 2110852 2110853 2110854 2112137 2112138 2112139 2112140 2112141 2116712 2116713 2126486 2126488
Blocks: 2105076
TreeView+ depends on / blocked
 
Reported: 2022-07-07 20:26 UTC by Sage McTaggart
Modified: 2024-03-19 12:55 UTC (History)
146 users (show)

Fixed In Version: moment 2.29.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Moment.js package. Users who pass user-provided strings without sanity length checks to the moment constructor are vulnerable to regular expression denial of service (ReDoS) attacks.
Clone Of:
Environment:
Last Closed: 2023-03-28 03:49:09 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:5913 0 None None None 2022-08-08 08:09:26 UTC
Red Hat Product Errata RHSA-2022:5914 0 None None None 2022-08-08 08:17:12 UTC
Red Hat Product Errata RHSA-2022:5915 0 None None None 2022-08-08 08:44:19 UTC
Red Hat Product Errata RHSA-2022:6156 0 None None None 2022-08-24 13:48:20 UTC
Red Hat Product Errata RHSA-2022:6271 0 None None None 2022-08-31 14:24:19 UTC
Red Hat Product Errata RHSA-2022:6272 0 None None None 2022-08-31 14:57:52 UTC
Red Hat Product Errata RHSA-2022:6277 0 None None None 2022-08-31 16:56:41 UTC
Red Hat Product Errata RHSA-2022:6345 0 None None None 2022-09-06 14:33:24 UTC
Red Hat Product Errata RHSA-2022:6370 0 None None None 2022-09-06 22:29:28 UTC
Red Hat Product Errata RHSA-2022:6392 0 None None None 2022-09-08 11:26:48 UTC
Red Hat Product Errata RHSA-2022:6393 0 None None None 2022-09-08 11:28:50 UTC
Red Hat Product Errata RHSA-2022:6422 0 None None None 2022-09-12 21:09:15 UTC
Red Hat Product Errata RHSA-2022:6507 0 None None None 2022-09-13 20:06:28 UTC
Red Hat Product Errata RHSA-2022:6696 0 None None None 2022-09-26 14:51:52 UTC
Red Hat Product Errata RHSA-2022:6813 0 None None None 2022-10-05 10:46:49 UTC
Red Hat Product Errata RHSA-2022:6835 0 None None None 2022-10-06 12:28:25 UTC
Red Hat Product Errata RHSA-2022:7055 0 None None None 2022-10-19 12:56:54 UTC
Red Hat Product Errata RHSA-2022:7276 0 None None None 2022-11-01 16:53:23 UTC
Red Hat Product Errata RHSA-2022:7313 0 None None None 2022-11-02 14:07:14 UTC
Red Hat Product Errata RHSA-2022:8652 0 None None None 2022-11-28 14:40:02 UTC
Red Hat Product Errata RHSA-2023:1043 0 None None None 2023-03-01 21:43:04 UTC
Red Hat Product Errata RHSA-2023:1044 0 None None None 2023-03-01 21:45:27 UTC
Red Hat Product Errata RHSA-2023:1045 0 None None None 2023-03-01 21:47:59 UTC
Red Hat Product Errata RHSA-2023:1047 0 None None None 2023-03-01 21:50:41 UTC
Red Hat Product Errata RHSA-2023:1049 0 None None None 2023-03-01 21:58:55 UTC
Red Hat Product Errata RHSA-2023:1486 0 None None None 2023-03-28 00:15:12 UTC
Red Hat Product Errata RHSA-2023:3623 0 None None None 2023-06-15 09:15:35 UTC

Description Sage McTaggart 2022-07-07 20:26:47 UTC
moment is a JavaScript date library for parsing, validating, manipulating, and formatting dates. Affected versions of moment were found to use an inefficient parsing algorithm. Specifically using string-to-date parsing in moment (more specifically rfc2822 parsing, which is tried by default) has quadratic (N^2) complexity on specific inputs. Users may notice a noticeable slowdown is observed with inputs above 10k characters. Users who pass user-provided strings without sanity length checks to moment constructor are vulnerable to (Re)DoS attacks. The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking. Users are advised to upgrade. Users unable to upgrade should consider limiting date lengths accepted from user input.

https://github.com/moment/moment/commit/9a3b5894f3d5d602948ac8a02e4ee528a49ca3a3
https://github.com/moment/moment/pull/6015#issuecomment-1152961973
https://github.com/moment/moment/security/advisories/GHSA-wc69-rhjr-hc9g

Comment 2 Parag Nemade 2022-07-12 10:24:07 UTC
Why have you CC'ed many people or to exact i18n-bugs list to this bug?

Comment 3 Sage McTaggart 2022-07-12 19:51:38 UTC
In reply to comment #2:
> Why have you CC'ed many people or to exact i18n-bugs list to this bug?
The default CC list is based off the affects, and is based off who is on the CC list for affected products.

Comment 4 Parag Nemade 2022-07-13 02:16:31 UTC
I still don't get how moment project CVE is related to i18n packages.

The Fedora repository search only shows 
$ sudo dnf search moment
Last metadata expiration check: 4 days, 19:21:18 ago on Thu 07 Jul 2022 12:24:40 PM IST.
==================================================================================== Name Matched: moment ====================================================================================
perl-Time-Moment.x86_64 : Represents a date and time of day with an offset from UTC
================================================================================== Summary Matched: moment ===================================================================================
R-FMStable.x86_64 : Finite Moment Stable Distributions

Is moment a bundled Javascript library in some nodejs module package in Fedora?

Comment 5 Parag Nemade 2022-07-13 02:17:14 UTC
You are not authorized to access bug #2105076.

Comment 7 Petr Viktorin (pviktori) 2022-07-13 07:57:36 UTC
Why is python-sig.org in CC for this RHEL bug? Is there something the Fedora SIG can/should do here?

Comment 8 Tomas Hoger 2022-07-13 08:12:36 UTC
In reply to comment #2:
> Why have you CC'ed many people or to exact i18n-bugs list to this bug?

i18n-bugs is on the initial CC list for the cldr-emoji-annotation component, which was added as possibly affected by this issue.  The package is considered to include moment because of moment being listed in tools/cldr-apps/js/package-lock.json (in sources).  However, moment does not seem to be included in the srpm and also in any binary rpm, hence this looks like false positive.

Comment 9 Tomas Hoger 2022-07-13 08:15:51 UTC
In reply to comment #7:
> Why is python-sig.org in CC for this RHEL bug? Is there
> something the Fedora SIG can/should do here?

python-sig is added because of python-notebook, but I do not see why that component was added here as possibly affected.

Comment 10 Tomas Hoger 2022-07-13 08:19:28 UTC
In reply to comment #9:
> In reply to comment #7:
> > Why is python-sig.org in CC for this RHEL bug? Is there
> > something the Fedora SIG can/should do here?
> 
> python-sig is added because of python-notebook, but I do not see why that
> component was added here as possibly affected.

Sigh, I was checking incorrectly.  python-notebook seems to bundle and ship moment in site-packages/notebook/static/components/moment/

Comment 11 Miro Hrončok 2022-07-13 08:34:17 UTC
(In reply to Tomas Hoger from comment #10)
> In reply to comment #9:
> > In reply to comment #7:
> > > Why is python-sig.org in CC for this RHEL bug? Is there
> > > something the Fedora SIG can/should do here?
> > 
> > python-sig is added because of python-notebook, but I do not see why that
> > component was added here as possibly affected.
> 
> Sigh, I was checking incorrectly.  python-notebook seems to bundle and ship
> moment in site-packages/notebook/static/components/moment/

It does, it also provides bundled(moment) = 2.19.3.



(In reply to Petr Viktorin from comment #7)
> Why is python-sig.org in CC for this RHEL bug? Is there
> something the Fedora SIG can/should do here?

This is not a RHEL bug, but a tracking bug that covers Fedora, RHEL, EPEL, etc.

All the maintainers of all the affected components in all the products are CC'ed here. That includes python-sig.org.

Comment 12 Petr Viktorin (pviktori) 2022-07-13 08:45:28 UTC
> python-sig is added because of python-notebook

I see, thanks. For the future, where can I find the list of affected components?

Comment 13 Parag Nemade 2022-07-13 09:51:46 UTC
(In reply to Tomas Hoger from comment #8)
> In reply to comment #2:
> > Why have you CC'ed many people or to exact i18n-bugs list to this bug?
> 
> i18n-bugs is on the initial CC list for the cldr-emoji-annotation component,
> which was added as possibly affected by this issue.  The package is
> considered to include moment because of moment being listed in
> tools/cldr-apps/js/package-lock.json (in sources).  However, moment does not
> seem to be included in the srpm and also in any binary rpm, hence this looks
> like false positive.

Thank you for confirming this false positive.

Comment 17 Sage McTaggart 2022-07-19 20:34:54 UTC
In reply to comment #5:
> You are not authorized to access bug #2105076.

moment is an npm library. Upon running deptopia (depcli -vs moment), we obtained the affects we have here. 
Here is the output for fedora.
fedora-35	ceph	(moment@, npm)
fedora-35	cockpit-composer	(moment.1, npm)
fedora-35	cockpit-session-recording	(moment.0, npm)
fedora-35	couchdb	(moment.0, npm)
fedora-35	golang-github-apache-beam-2	(moment.0, npm)
fedora-35	grafana	(moment.0, npm)	(and 2 more deps)
fedora-35	python-ipyparallel	(moment.2, npm)
fedora-35	python-notebook	(moment.3, None)
fedora-35	syncthing	(moment.4, None)
fedora-35	workrave	(moment.1, npm)
fedora-35	zuul	(moment.0, npm)
fedora-36	ceph	(moment@, npm)
fedora-36	cldr-emoji-annotation	(moment.1, npm)
fedora-36	cockpit-composer	(moment.1, npm)
fedora-36	cockpit-session-recording	(moment.0, npm)
fedora-36	golang-github-apache-beam-2	(moment.0, npm)
fedora-36	grafana	(moment.0, npm)	(and 2 more deps)
fedora-36	pgadmin4	(moment.3, npm)
fedora-36	python-ipyparallel	(moment.2, npm)
fedora-36	python-notebook	(moment.3, None)
fedora-36	subscription-manager-cockpit	(moment.1, npm)
fedora-36	syncthing	(moment.4, None)
fedora-36	workrave	(moment.1, npm)
fedora-36	zuul	(moment.0, npm)

Comment 24 Avinash Hanwate 2022-07-26 04:18:37 UTC
Created cldr-emoji-annotation tracking bugs for this issue:

Affects: fedora-36 [bug 2110850]


Created couchdb tracking bugs for this issue:

Affects: fedora-35 [bug 2110846]


Created golang-github-apache-beam-2 tracking bugs for this issue:

Affects: fedora-35 [bug 2110847]
Affects: fedora-36 [bug 2110851]


Created python-ipyparallel tracking bugs for this issue:

Affects: fedora-35 [bug 2110848]
Affects: fedora-36 [bug 2110852]


Created subscription-manager-cockpit tracking bugs for this issue:

Affects: fedora-36 [bug 2110853]


Created syncthing tracking bugs for this issue:

Affects: epel-8 [bug 2110845]


Created workrave tracking bugs for this issue:

Affects: fedora-35 [bug 2110849]
Affects: fedora-36 [bug 2110854]

Comment 30 errata-xmlrpc 2022-08-08 08:09:20 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:5913 https://access.redhat.com/errata/RHSA-2022:5913

Comment 31 errata-xmlrpc 2022-08-08 08:17:06 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:5914 https://access.redhat.com/errata/RHSA-2022:5914

Comment 32 errata-xmlrpc 2022-08-08 08:44:12 UTC
This issue has been addressed in the following products:

  OSSM-2.2-RHEL-8

Via RHSA-2022:5915 https://access.redhat.com/errata/RHSA-2022:5915

Comment 34 errata-xmlrpc 2022-08-24 13:48:14 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Data Foundation 4.11 on RHEL8

Via RHSA-2022:6156 https://access.redhat.com/errata/RHSA-2022:6156

Comment 35 errata-xmlrpc 2022-08-31 14:24:13 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 7
  Red Hat Advanced Cluster Management for Kubernetes 2.3 for RHEL 8

Via RHSA-2022:6271 https://access.redhat.com/errata/RHSA-2022:6271

Comment 36 errata-xmlrpc 2022-08-31 14:57:46 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.0

Via RHSA-2022:6272 https://access.redhat.com/errata/RHSA-2022:6272

Comment 37 errata-xmlrpc 2022-08-31 16:56:33 UTC
This issue has been addressed in the following products:

  OpenShift Service Mesh 2.1

Via RHSA-2022:6277 https://access.redhat.com/errata/RHSA-2022:6277

Comment 39 errata-xmlrpc 2022-09-06 14:33:18 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.1 for RHEL 8

Via RHSA-2022:6345 https://access.redhat.com/errata/RHSA-2022:6345

Comment 40 errata-xmlrpc 2022-09-06 22:29:21 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:6370 https://access.redhat.com/errata/RHSA-2022:6370

Comment 41 errata-xmlrpc 2022-09-08 11:26:40 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization 4 for Red Hat Enterprise Linux 8

Via RHSA-2022:6392 https://access.redhat.com/errata/RHSA-2022:6392

Comment 42 errata-xmlrpc 2022-09-08 11:28:44 UTC
This issue has been addressed in the following products:

  Red Hat Virtualization Engine 4.4

Via RHSA-2022:6393 https://access.redhat.com/errata/RHSA-2022:6393

Comment 43 errata-xmlrpc 2022-09-12 21:09:07 UTC
This issue has been addressed in the following products:

  multicluster engine for Kubernetes 2.0 for RHEL 8

Via RHSA-2022:6422 https://access.redhat.com/errata/RHSA-2022:6422

Comment 44 errata-xmlrpc 2022-09-13 20:06:20 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.5 for RHEL 8

Via RHSA-2022:6507 https://access.redhat.com/errata/RHSA-2022:6507

Comment 47 errata-xmlrpc 2022-09-26 14:51:44 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:6696 https://access.redhat.com/errata/RHSA-2022:6696

Comment 48 errata-xmlrpc 2022-10-05 10:46:41 UTC
This issue has been addressed in the following products:

  RHPAM 7.13.1 async

Via RHSA-2022:6813 https://access.redhat.com/errata/RHSA-2022:6813

Comment 49 errata-xmlrpc 2022-10-06 12:28:17 UTC
This issue has been addressed in the following products:

  RHINT Service Registry 2.3.0 GA

Via RHSA-2022:6835 https://access.redhat.com/errata/RHSA-2022:6835

Comment 50 errata-xmlrpc 2022-10-19 12:56:46 UTC
This issue has been addressed in the following products:

  Red Hat Openshift distributed tracing 2.6

Via RHSA-2022:7055 https://access.redhat.com/errata/RHSA-2022:7055

Comment 52 errata-xmlrpc 2022-11-01 16:53:17 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.4 for RHEL 8

Via RHSA-2022:7276 https://access.redhat.com/errata/RHSA-2022:7276

Comment 53 errata-xmlrpc 2022-11-02 14:07:07 UTC
This issue has been addressed in the following products:

  Red Hat Advanced Cluster Management for Kubernetes 2.6 for RHEL 8

Via RHSA-2022:7313 https://access.redhat.com/errata/RHSA-2022:7313

Comment 55 errata-xmlrpc 2022-11-28 14:39:56 UTC
This issue has been addressed in the following products:

  Red Hat Fuse 7.11.1

Via RHSA-2022:8652 https://access.redhat.com/errata/RHSA-2022:8652

Comment 72 errata-xmlrpc 2023-03-01 21:42:57 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 7

Via RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1043

Comment 73 errata-xmlrpc 2023-03-01 21:45:22 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 8

Via RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1044

Comment 74 errata-xmlrpc 2023-03-01 21:47:52 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On 7.6 for RHEL 9

Via RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1045

Comment 75 errata-xmlrpc 2023-03-01 21:50:37 UTC
This issue has been addressed in the following products:

  RHEL-8 based Middleware Containers

Via RHSA-2023:1047 https://access.redhat.com/errata/RHSA-2023:1047

Comment 76 errata-xmlrpc 2023-03-01 21:58:48 UTC
This issue has been addressed in the following products:

  Red Hat Single Sign-On

Via RHSA-2023:1049 https://access.redhat.com/errata/RHSA-2023:1049

Comment 78 errata-xmlrpc 2023-03-28 00:15:06 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2023:1486 https://access.redhat.com/errata/RHSA-2023:1486

Comment 79 Product Security DevOps Team 2023-03-28 03:49:02 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-31129

Comment 80 errata-xmlrpc 2023-06-15 09:15:28 UTC
This issue has been addressed in the following products:

  Red Hat Ceph Storage 6.1

Via RHSA-2023:3623 https://access.redhat.com/errata/RHSA-2023:3623


Note You need to log in before you can comment on or make changes to this bug.