{ "threat_severity" : "Moderate", "public_date" : "2021-04-12T00:00:00Z", "bugzilla" : { "description" : "nodejs-postcss: Regular expression denial of service during source map parsing", "id" : "1948763", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1948763" }, "cvss3" : { "cvss3_base_score" : "5.3", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "The package postcss from 7.0.0 and before 8.2.10 are vulnerable to Regular Expression Denial of Service (ReDoS) during source map parsing.", "A regular expression denial of service (ReDoS) vulnerability was found in the npm library `postcss`. When parsing a supplied CSS string, if it contains an unexpected value then as the supplied CSS grows in length it will take an ever increasing amount of time to process. An attacker can use this vulnerability to potentially craft a malicious a long CSS value to process resulting in a denial of service." ], "statement" : "In Red Hat OpenShift Container Platform (RHOCP), OpenShift ServiceMesh (OSSM) and Red Hat Advanced Cluster Management for Kubernetes (RHACM) the affected containers are behind OpenShift OAuth authentication. This restricts access to the vulnerable nodejs-postcss library to authenticated users only, therefore the impact is low.\nRed Hat OpenShift Container Platform 4 delivers the kibana package where the nodejs-postcss library is used, but due to the code changing to the container first content the kibana package is marked as wontfix. This may be fixed in the future.\nIn Red Had Quay , whilst a vulnerable version of `postcss` is included in the quay-rhel8 container it is a development dependency only, therefor the impact is low.\nIn Red Hat Virtualization a vulnerable version of postcss is used in cockpit-ovirt, ovirt-web-ui and ovirt-engine-ui-extensions. However, it is only used during development and is used to process known CSS content. This flaw has been marked as \"wontfix\" and it may be addressed in future updates.", "affected_release" : [ { "product_name" : "Red Hat OpenShift Container Platform 4.8", "release_date" : "2021-07-27T00:00:00Z", "advisory" : "RHSA-2021:2438", "cpe" : "cpe:/a:redhat:openshift:4.8::el8", "package" : "openshift4/ose-console:v4.8.0-202107010336.p0.git.188a490.assembly.stream", "impact" : "low" }, { "product_name" : "Red Hat Quay 3", "release_date" : "2021-10-19T00:00:00Z", "advisory" : "RHSA-2021:3917", "cpe" : "cpe:/a:redhat:quay:3::el8", "package" : "quay/quay-rhel8:v3.6.0-62", "impact" : "low" } ], "package_state" : [ { "product_name" : "Logging Subsystem for Red Hat OpenShift", "fix_state" : "Fix deferred", "package_name" : "openshift-logging/kibana6-rhel8", "cpe" : "cpe:/a:redhat:logging:5", "impact" : "low" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "application-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "console", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "grc-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "search-ui", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Not affected", "package_name" : "postcss", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Not affected", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:3.11", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "golang-github-prometheus-prometheus", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-logging-kibana6", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Fix deferred", "package_name" : "openshift4/ose-thanos-rhel8", "cpe" : "cpe:/a:redhat:openshift:4", "impact" : "low" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "cockpit-ovirt", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "ovirt-engine-ui-extensions", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "ovirt-web-ui", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "low" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-23368\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-23368" ], "name" : "CVE-2021-23368", "csaw" : false }