Name of Vulnerability: CVE-2018-16487 (as a result of an incomplete fix made for CVE-2018-3721)
Type of Vulnerability: DoS, Remote code execution
Component Name: lodash (as present in npm)
Versions Affected: [4.17.5, 4.17.11)
CVSS 3.0 Score: 9.8
CVSS 3.0 Metrics: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Advisory Deviation: The Sonatype security research team discovered that the root cause of this vulnerability was introduced in version 4.17.5 due to an incomplete fix made for CVE-2018-3721. As a result, contrary to what the advisory states, only versions between 4.17.5 and 4.17.11 (exclusive) have been implicated for CVE-2018-16487. Vulnerable versions prior to 4.17.5 are still covered by CVE-2018-3721.
The `lodash` package is vulnerable to Prototype Pollution. The `safeGet()` function in the `lodash.js` file fails to restrict the addition or modification of properties of Object prototypes. A remote attacker can exploit this vulnerability by crafting and submitting a request containing malicious JSON to an endpoint that accepts JSON data. The attacker can leverage this vulnerability to modify Object prototype properties which, depending on the behavior of the object within the application, can result in a Denial of Service (DoS) or potentially Remote Code Execution (RCE).
Here’s an example of how a typical attack might work:
By invoking `merge`, `mergeWith`, or `defaultsDeep` functions of lodash to process user-supplied JSON data, an attacker is able to cause an exception within the application and hence Denial of Service (DoS).
This will lead to a crash, resulting in a Denial of Service (DoS) attack and other unintended consequences like the ability for someone to remotely execute code.
It is important to note (per developers in the HackerOne report) that the prototype in Object, Array, Function, Number, String, and Boolean are vulnerable as well. Just because one property is fixed, doesn’t mean the others aren’t vulnerable. Users are advised to pay particular attention to the remediation guidance for this attack vector.
Users are recommended to upgrade to version 4.17.11 of `lodash` which contains the fix.
If upgrading is not a viable option, some developers have chosen to protect against this vulnerability by replacing a property entirely (rather than recursively extending it) if the destination object doesn't have that property as its own. That would prevent traversing the built-in 'constructor' property, but wouldn't prevent users from using the name 'constructor' in other contexts.
DevOps-native organizations with the ability to continuously deploy software releases have an automation advantage that allows them to stay one step ahead of the hackers. Customers of Sonatype Nexus were notified of CVE-2018-16487 within hours of the discovery. Their development teams automatically received instructions on how to remediate the risk.
If you're not a Sonatype customer and want to find out if your code is vulnerable, you can use Sonatype's free Nexus Vulnerability Scanner to quickly find out.
Visit the Nexus Intelligence Insights page for a deep dive into other vulnerabilities like this one or subscribe to automatically receive Nexus Intelligence Insights hot off the press.