<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1127487224079104&amp;ev=PageView&amp;noscript=1 https://www.facebook.com/tr?id=1127487224079104&amp;ev=PageView&amp;noscript=1 ">

Welcome to Nexus Intelligence Insights!

This month's featured post is on event-stream 0.1.1.

This month, we will take a slight departure from our typical Nexus Intelligence Insights format to cover the recent exploit of npm's event-stream package and the very real threat these types of software supply chain breaches have on developers and organizations around the world. Our CTO, Brian Fox covers the shifting battle ground of compromised code. 

Click on the CVE number or name in the list below to learn more about these vulnerabilities, and what you can do if you're using this component in your code.

 

event-stream package
CVE-2018-10237
TYPE

Unbounded Memory Allocation/Denial of Service attack

Description

Java serialization issues have been around for years, but haven’t really garnered much attention until recently when it became clear that attackers could use vulnerable classes to perform deserialization on untrusted data. Particularly, if the deserialization occurs pre-authentication. Java's type check will ensure you only get valid object trees by strictly validating the expected type. Unfortunately, by the time the type checking completes, compromised platform code could be created and execute significant logic.

By tampering with the request and supplying a request for an abnormally large amount of server memory, the request could overwhelm the server and lead to a denial of service.

Components Affected

Google Guava 11.0 through 24.x before 24.1.1.

Sonatype Recommendation

Set a limit on the size of the object graph that servers will accept. For Java, narrow the classes that can be deserialized from “any class available” to an application, down to a context-appropriate set of classes.

CVE-2017-5647
TYPE

Information exposure

Description

Apache Tomcat is vulnerable to Information Disclosure, as it sends the response of a "send file" request (request "A") in response to another request (request "B") that is in the pipeline when the processing of the previous request is completed. An attacker can exploit this vulnerability by sending a request to the targeted system while other requests are being processed. This could allow the attacker to gain sensitive information due to the incorrect response sent when processing of a previous request has completed.

For example:

  1. Normal user sends a request (**Request A**)
  2. Tomcat responds to Request A (**Response A**)
  3. Attacker sends a request (**Request B**)
  4. Due to this vulnerability, Tomcat responds to **Request B** with **Response A**
Components Affected

org.apache.tomcat: tomcat-coyote, coyote

org.apache.tomcat.embed: tomcat-embed-core

org.apache.geronimo.ext.tomcat: Catalina

tomcat:tomcat-http

tomcat:tomcat-http11

tomcat:tomcat-util

org.jboss.web: jbossweb jboss.web:jbossweb

Sonatype Recommendation

Recommend upgrading to a component version not impacted by this vulnerability.