appmetrics icon indicating copy to clipboard operation
appmetrics copied to clipboard

Published 20 hours ago verified publisher icon RuntimeTools

SHA-1 Weak Authentication Algorithm vulnerability in dependency "request"

Open aqan213 opened this issue 3 years ago • 6 comments

Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that

"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."

The module bluemix-autoscaling-agent uses the latest version appmetrics v5.1.1 and request 2.88.0 is a dependency of node-gyp 5.1.1 which is the dependency of appmetrics.

Here is the hierarchy of the "request" module tracking back to bluemix-autoscaling-agent.

Three instances:

"request": "^2.72.0" is required by
"ibmapm-restclient": "version": "20.8.0" is required by
ibmapm-embed": "version": "20.8.4" is reuired by
"appmetrics": "version": "5.1.1" is required by
"bluemix-autoscaling-agent": "version": "1.0.14"

"request": "^2.88.0", is required by
"node-gyp": "version": "5.1.1" is required by
"appmetrics": "version": "5.1.1", is required by
"bluemix-autoscaling-agent": "version": "1.0.14",

"request": "^2.83.0",
kubernetes-client": {
"version": "3.18.1",
"ibmapm-restclient": {
"version": "20.8.0",
……
"bluemix-autoscaling-agent": {
"version": "1.0.14"

Can you please take a look?

aqan213 avatar Jan 14 '21 10:01 aqan213

Thanks for this. The solution would be to update our depenceny to a version of node-gyp that doesn't require a version of request. I notice that https://github.com/nodejs/node-gyp/blob/master/package.json still requires request at a level of ^2.88.2. Can you tell me if that version of request still has that vulnerability please?

mattcolegate avatar Jan 14 '21 11:01 mattcolegate

Acording to https://github.com/request/request/issues/2640 it looks like all versions of request are vulnerable. Solution is therefore to get node-gyp to move away from request. It looks like they already have an issue open for that, https://github.com/nodejs/node-gyp/issues/2047, although it's not looking hopeful. Until that is resolved, appmetrics is unable to do anything.

mattcolegate avatar Jan 14 '21 11:01 mattcolegate

Thanks for the response. How about the other 2 versions request from other 2 package?

"request": "^2.72.0" -->"ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

and "request": "^2.83.0" --> kubernetes-client" --> "ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics"

aqan213 avatar Jan 14 '21 19:01 aqan213

Best handled by raising issues on https://github.com/IBM/node-ibmapm-restclient and https://github.com/godaddy/kubernetes-client

mattcolegate avatar Jan 14 '21 21:01 mattcolegate

Hi @mattcolegate , it seems like https://github.com/nodejs/node-gyp/pull/2220 solved issue https://github.com/nodejs/node-gyp/issues/2047 migrating requests to fetch. When do you plan to use the nodejs version containing the fix ?

donacarr avatar Mar 25 '21 08:03 donacarr

Hi @donacarr, looks like this is going into node-gyp v8.0.0 https://github.com/nodejs/node-gyp/pull/2346 - when that version releases we can start looking to pull it into appmetrics

mattcolegate avatar Mar 25 '21 09:03 mattcolegate