Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request" #647

Open
aqan213 opened this issue Jan 14, 2021 · 6 comments
Open

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request" #647

aqan213 opened this issue Jan 14, 2021 · 6 comments

Comments

@aqan213
Copy link

aqan213 commented Jan 14, 2021
edited

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package.
The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."

The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and request 2.88.0 is a dependency of node-gyp 5.1.1 which is the dependency of appmetrics.

Here is the hierarchy of the "request" module tracking back to bluemix-autoscaling-agent.

Three instances:

"request": "^2.72.0" is required by
"ibmapm-restclient": "version": "20.8.0" is required by
ibmapm-embed": "version": "20.8.4" is reuired by
"appmetrics": "version": "5.1.1" is required by
"bluemix-autoscaling-agent": "version": "1.0.14"

"request": "^2.88.0", is required by
"node-gyp": "version": "5.1.1" is required by
"appmetrics": "version": "5.1.1", is required by
"bluemix-autoscaling-agent": "version": "1.0.14",

"request": "^2.83.0",
kubernetes-client": {
"version": "3.18.1",
"ibmapm-restclient": {
"version": "20.8.0",
……
"bluemix-autoscaling-agent": {
"version": "1.0.14"

Can you please take a look?
@mattcolegate
Copy link
Member

mattcolegate commented Jan 14, 2021
edited

Thanks for this. The solution would be to update our depenceny to a version of node-gyp that doesn't require a version of request. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request at a level of ^2.88.2. Can you tell me if that version of request still has that vulnerability please?

@mattcolegate
Copy link
Member

Acording to request/request#2640 it looks like all versions of request are vulnerable. Solution is therefore to get node-gyp to move away from request. It looks like they already have an issue open for that, nodejs/node-gyp#2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.

@aqan213
Copy link
Author

aqan213 commented Jan 14, 2021

Thanks for the response. How about the other 2 versions request from other 2 package?

"request": "^2.72.0" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

and
"request": "^2.83.0" --> kubernetes-client" --> "ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

@mattcolegate
Copy link
Member

mattcolegate commented Jan 14, 2021
edited

Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client

@aqan213 aqan213 mentioned this issue Feb 2, 2021
Closed
@donacarr
Copy link

Hi @mattcolegate , it seems like nodejs/node-gyp#2220 solved issue nodejs/node-gyp#2047 migrating requests to fetch.
When do you plan to use the nodejs version containing the fix ?

@mattcolegate
Copy link
Member

Hi @donacarr, looks like this is going into node-gyp v8.0.0 nodejs/node-gyp#2346 - when that version releases we can start looking to pull it into appmetrics

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@donacarr @mattcolegate @aqan213