Описание
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
A Regular Expression Denial of Service (ReDOS) vulnerability was found in Color-String, which occurs when the application is provided and checks a crafted invalid HWB string. The highest threat from this vulnerability is to system availability.
Отчет
OpenShift Service Mesh 1.1.x is in its maintenance phase, only Important and Critical vulnerabilities will be fixed at this time.
In OpenShift Container Platform (OCP) and OpenShift Service Mesh (OSSM) some components include the vulnerable color-string library, but access is protected by OpenShift OAuth what reducing impact by this flaw to LOW.
Starting in OCP 4.7, the kibana component is shipping as "container first" content and as a part of the OpenShift Logging product (openshift-logging/kibana6-rhel8) and is not affected by this vulnerability. The kibana components delivered in OCP 4.6 and earlier are marked as Out of support scope because these versions are already under Maintenance Phase of the support.
In Red Hat Advanced Cluster Management for Kubernetes (RHACM) all containers are using the 1.5.5 fixed version, hence not RHACM version is affected by this flaw.
In Red Hat Virtualization a vulnerable version of color-string is used in ovirt-web-ui and ovirt-engine-ui-extensions. It is a build-time dependency not exploitable in the delivered product. Therefore impact is rated Low and it will not be immediately fixed. An update may be provided in future releases.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Logging Subsystem for Red Hat OpenShift | openshift-logging/kibana6-rhel8 | Not affected | ||
| OpenShift Service Mesh 1 | servicemesh-grafana | Will not fix | ||
| OpenShift Service Mesh 1 | servicemesh-prometheus | Will not fix | ||
| OpenShift Service Mesh 2.0 | servicemesh-grafana | Affected | ||
| OpenShift Service Mesh 2.0 | servicemesh-prometheus | Affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/console-ui-rhel8 | Not affected | ||
| Red Hat Advanced Cluster Management for Kubernetes 2 | rhacm2/search-ui-rhel8 | Not affected | ||
| Red Hat OpenShift Container Platform 3.11 | kibana | Out of support scope | ||
| Red Hat OpenShift Container Platform 4 | kibana | Out of support scope |
Показывать по
Дополнительная информация
Статус:
EPSS
5.3 Medium
CVSS3
Связанные уязвимости
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
A Regular Expression Denial of Service (ReDOS) vulnerability was discovered in Color-String version 1.5.5 and below which occurs when the application is provided and checks a crafted invalid HWB string.
A Regular Expression Denial of Service (ReDOS) vulnerability was disco ...
Уязвимость библиотеки для синтаксического анализа и генерации строк CSS Color-String, позволяющая нарушителю вызвать отказ в обслуживании
EPSS
5.3 Medium
CVSS3