sonatype-2018-0272 - vulnerable to Regular expression Denial of Service (ReDoS)

[jpavlic]

I received a notice a few days ago from Sonatype. The package apparently has been diagnosed as having a vulnerability.

EXPLANATION

The ua-parser-js package is vulnerable to Regular expression Denial of Service (ReDoS). The regexes object found in ua-parser.js contains a number of unsafe regular expressions that are used in evaluating user generated strings. A remote unauthenticated attacker can exploit this behavior with a specially crafted user-agent string that can cause the application's process to hang as it attempts to evaluate the user-agent.

DETECTION

The application is vulnerable by using this component.

RECOMMENDATION

There is no non vulnerable version of this component/package. We recommend investigating alternative components or a potential mitigating control. It is important to note that, although parts of the vulnerability have been fixed, as shown in the additional resources, not all of the reported expressions have been fixed and the component remains vulnerable.

ROOT CAUSE

ua-parser-js-0.7.22.tgzpackage/src/ua-parser.js[0.5.20 ,)

MORE INFORMATION

CWE-185 - https://cwe.mitre.org/data/definitions/185.html

[faisalman]

Is there any more detailed information regarding the vulnerability? Given that few days before you post this issue, I'm already fixing some vulnerable regexes: 6d1f26d

[faisalman]

Further discussion on how to safeguard this library from ReDoS can be continued in #342