{ "threat_severity" : "Moderate", "public_date" : "2021-09-17T00:00:00Z", "bugzilla" : { "description" : "nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes", "id" : "2007557", "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2007557" }, "cvss3" : { "cvss3_base_score" : "7.5", "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "status" : "verified" }, "cwe" : "CWE-400", "details" : [ "ansi-regex is vulnerable to Inefficient Regular Expression Complexity", "A regular expression denial of service (ReDoS) vulnerability was found in nodejs-ansi-regex. This could possibly cause an application using ansi-regex to use an excessive amount of CPU time when matching crafted ANSI escape codes." ], "statement" : "This flaw requires crafted invalid ANSI escape codes in order to be exploited and only allows for denial of service of applications on the client side, hence the impact has been rated as Moderate.\nIn Red Hat Virtualization and Red Hat Quay some components use a vulnerable version of ansi-regex. However, all frontend code is executed on the client side. As the maximum impact of this vulnerability is denial of service in the client, the vulnerability is rated Moderate for those products.\nOpenShift Container Platform 4 (OCP) ships affected version of ansi-regex in the ose-metering-hadoop container, however the metering operator is deprecated since 4.6[1]. This issue is not currently planned to be addressed in future updates and hence hadoop container has been marked as 'will not fix'.\nAdvanced Cluster Management for Kubernetes (RHACM) ships the affected version of ansi-regex in several containers, however the impact of this vulnerability is deemed low as it would result in an authenticated slowing down their own user interface. \n[1] https://docs.openshift.com/container-platform/4.6/metering/metering-about-metering.html", "affected_release" : [ { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2021-12-16T00:00:00Z", "advisory" : "RHSA-2021:5171", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:16-8050020211206113934.c5368500" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-02-01T00:00:00Z", "advisory" : "RHSA-2022:0350", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:14-8050020211213115342.c5368500" }, { "product_name" : "Red Hat Enterprise Linux 8", "release_date" : "2022-09-13T00:00:00Z", "advisory" : "RHSA-2022:6449", "cpe" : "cpe:/a:redhat:enterprise_linux:8", "package" : "nodejs:16-8060020220805104227.ad008a3a" }, { "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support", "release_date" : "2022-01-25T00:00:00Z", "advisory" : "RHSA-2022:0246", "cpe" : "cpe:/a:redhat:rhel_eus:8.4", "package" : "nodejs:14-8040020211213111158.522a0ee4" }, { "product_name" : "Red Hat Enterprise Linux 9", "release_date" : "2022-09-20T00:00:00Z", "advisory" : "RHSA-2022:6595", "cpe" : "cpe:/a:redhat:enterprise_linux:9", "package" : "nodejs-nodemon-0:2.0.19-1.el9_0" }, { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "io.hawt-hawtio-online" }, { "product_name" : "Red Hat Fuse 7.11", "release_date" : "2022-07-07T00:00:00Z", "advisory" : "RHSA-2022:5532", "cpe" : "cpe:/a:redhat:jboss_fuse:7", "package" : "io.hawt-project" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.6", "release_date" : "2022-05-31T00:00:00Z", "advisory" : "RHSA-2022:4814", "cpe" : "cpe:/a:redhat:rhmt:1.6::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.6.5-8" }, { "product_name" : "Red Hat Migration Toolkit for Containers 1.7", "release_date" : "2022-07-01T00:00:00Z", "advisory" : "RHSA-2022:5483", "cpe" : "cpe:/a:redhat:rhmt:1.7::el8", "package" : "rhmtc/openshift-migration-ui-rhel8:v1.7.2-9" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-01-06T00:00:00Z", "advisory" : "RHSA-2022:0041", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-0:14.18.2-1.el7" }, { "product_name" : "Red Hat Software Collections for Red Hat Enterprise Linux 7", "release_date" : "2022-01-06T00:00:00Z", "advisory" : "RHSA-2022:0041", "cpe" : "cpe:/a:redhat:rhel_software_collections:3::el7", "package" : "rh-nodejs14-nodejs-nodemon-0:2.0.3-6.el7" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2022-05-26T00:00:00Z", "advisory" : "RHSA-2022:4711", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-engine-ui-extensions-0:1.3.3-1.el8ev", "impact" : "moderate" }, { "product_name" : "Red Hat Virtualization Engine 4.4", "release_date" : "2022-07-14T00:00:00Z", "advisory" : "RHSA-2022:5555", "cpe" : "cpe:/a:redhat:rhev_manager:4.4:el8", "package" : "ovirt-web-ui-0:1.9.0-1.el8ev", "impact" : "moderate" }, { "product_name" : "RHODF-4.13-RHEL-9", "release_date" : "2023-06-21T00:00:00Z", "advisory" : "RHSA-2023:3742", "cpe" : "cpe:/a:redhat:openshift_data_foundation:4.13::el9", "package" : "odf4/mcg-core-rhel9:v4.13.0-41" } ], "package_state" : [ { "product_name" : "Migration Toolkit for Virtualization", "fix_state" : "Fix deferred", "package_name" : "migration-toolkit-virtualization/mtv-ui-rhel8", "cpe" : "cpe:/a:redhat:migration_toolkit_virtualization:2" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "kiali", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 1", "fix_state" : "Out of support scope", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:1" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-grafana", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "OpenShift Service Mesh 2.0", "fix_state" : "Affected", "package_name" : "servicemesh-prometheus", "cpe" : "cpe:/a:redhat:service_mesh:2.0" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/application-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/console-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/console-header-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/console-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/console-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/grc-ui-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/grc-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/kui-web-terminal-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/mcm-topology-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Fix deferred", "package_name" : "rhacm2/mcm-topology-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Affected", "package_name" : "rhacm2/search-api-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat Advanced Cluster Management for Kubernetes 2", "fix_state" : "Not affected", "package_name" : "rhacm2/search-ui-rhel8", "cpe" : "cpe:/a:redhat:acm:2", "impact" : "low" }, { "product_name" : "Red Hat A-MQ Online", "fix_state" : "Out of support scope", "package_name" : "io.enmasse-enmasse", "cpe" : "cpe:/a:redhat:amq_online:1" }, { "product_name" : "Red Hat Ansible Automation Platform 1.2", "fix_state" : "Not affected", "package_name" : "ansi-regex", "cpe" : "cpe:/a:redhat:ansible_automation_platform" }, { "product_name" : "Red Hat build of Apicurio Registry 2", "fix_state" : "Affected", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:service_registry:2" }, { "product_name" : "Red Hat Ceph Storage 3", "fix_state" : "Out of support scope", "package_name" : "grafana", "cpe" : "cpe:/a:redhat:ceph_storage:3" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Will not fix", "package_name" : "ceph", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Out of support scope", "package_name" : "cockpit-ceph-installer", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Ceph Storage 4", "fix_state" : "Will not fix", "package_name" : "rhceph/rhceph-4-dashboard-rhel8", "cpe" : "cpe:/a:redhat:ceph_storage:4" }, { "product_name" : "Red Hat Ceph Storage 5", "fix_state" : "Affected", "package_name" : "ceph", "cpe" : "cpe:/a:redhat:ceph_storage:5" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.infinispan-infinispan-console", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Data Grid 8", "fix_state" : "Not affected", "package_name" : "org.infinispan-infinispan-js-client", "cpe" : "cpe:/a:redhat:jboss_data_grid:8" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "org.drools-droolsjbpm-integration", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "org.kie.workbench-kie-wb-common", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "org.optaweb.employeerostering-optaweb-employee-rostering", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "org.optaweb.vehiclerouting-optaweb-vehicle-routing", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Decision Manager 7", "fix_state" : "Not affected", "package_name" : "org.uberfire-uberfire-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_brms_platform:7" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Affected", "package_name" : "nodejs:12/nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 8", "fix_state" : "Will not fix", "package_name" : "nodejs:12/nodejs-nodemon", "cpe" : "cpe:/o:redhat:enterprise_linux:8" }, { "product_name" : "Red Hat Enterprise Linux 9", "fix_state" : "Affected", "package_name" : "nodejs", "cpe" : "cpe:/o:redhat:enterprise_linux:9" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "io.apicurio-apicurito", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Fuse 7", "fix_state" : "Not affected", "package_name" : "io.syndesis-syndesis-ui", "cpe" : "cpe:/a:redhat:jboss_fuse:7" }, { "product_name" : "Red Hat Integration Camel K 1", "fix_state" : "Not affected", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat Integration Camel Quarkus 1", "fix_state" : "Not affected", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:camel_quarkus:2" }, { "product_name" : "Red Hat Integration Service Registry", "fix_state" : "Not affected", "package_name" : "io.apicurio-apicurio-registry", "cpe" : "cpe:/a:redhat:integration:1" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "org.infinispan-infinispan-js-client", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "org.infinispan-infinispan-management-console", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Data Grid 7", "fix_state" : "Out of support scope", "package_name" : "org.jboss.hal-hal-parent", "cpe" : "cpe:/a:redhat:jboss_data_grid:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 6", "fix_state" : "Out of support scope", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:6" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "io.smallrye-smallrye-open-api-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform 7", "fix_state" : "Not affected", "package_name" : "org.jboss.hal-hal-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_application_platform:7" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "io.smallrye-smallrye-open-api-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat JBoss Enterprise Application Platform Expansion Pack", "fix_state" : "Not affected", "package_name" : "org.jboss.hal-hal-parent", "cpe" : "cpe:/a:redhat:jbosseapxp" }, { "product_name" : "Red Hat OpenShift Container Platform 3.11", "fix_state" : "Out of support scope", "package_name" : "kibana", "cpe" : "cpe:/a:redhat:openshift:3.11" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-console", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-grafana", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-metering-hadoop", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-prometheus", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat OpenShift Container Platform 4", "fix_state" : "Will not fix", "package_name" : "openshift4/ose-thanos-rhel8", "cpe" : "cpe:/a:redhat:openshift:4" }, { "product_name" : "Red Hat Openshift Container Storage 4", "fix_state" : "Out of support scope", "package_name" : "ocs4/mcg-core-rhel8", "cpe" : "cpe:/a:redhat:openshift_container_storage:4" }, { "product_name" : "Red Hat OpenShift GitOps", "fix_state" : "Will not fix", "package_name" : "openshift-gitops-1/argocd-rhel8", "cpe" : "cpe:/a:redhat:openshift_gitops:1" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.drools-droolsjbpm-integration", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-connect", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.keycloak-keycloak-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.kie.workbench-kie-wb-common", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.optaweb.employeerostering-optaweb-employee-rostering", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.optaweb.vehiclerouting-optaweb-vehicle-routing", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Process Automation 7", "fix_state" : "Not affected", "package_name" : "org.uberfire-uberfire-parent", "cpe" : "cpe:/a:redhat:jboss_enterprise_bpms_platform:7" }, { "product_name" : "Red Hat Quay 3", "fix_state" : "Will not fix", "package_name" : "quay/quay-rhel8", "cpe" : "cpe:/a:redhat:quay:3", "impact" : "moderate" }, { "product_name" : "Red Hat Satellite 6", "fix_state" : "Fix deferred", "package_name" : "tfm-rubygem-rabl", "cpe" : "cpe:/a:redhat:satellite:6", "impact" : "low" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Will not fix", "package_name" : "rh-nodejs12-nodejs", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Software Collections", "fix_state" : "Out of support scope", "package_name" : "rh-nodejs12-nodejs-nodemon", "cpe" : "cpe:/a:redhat:rhel_software_collections:3" }, { "product_name" : "Red Hat Virtualization 4", "fix_state" : "Will not fix", "package_name" : "cockpit-ovirt", "cpe" : "cpe:/o:redhat:rhev_hypervisor:4", "impact" : "moderate" } ], "references" : [ "https://www.cve.org/CVERecord?id=CVE-2021-3807\nhttps://nvd.nist.gov/vuln/detail/CVE-2021-3807\nhttps://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994" ], "name" : "CVE-2021-3807", "csaw" : false }