Vulnerability Name:

CVE-2021-27290 (CCN-198144)

Assigned:2021-02-10
Published:2021-02-10
Updated:2022-05-13
Summary:ssri 5.2.2-8.0.0, fixed in 8.0.1, processes SRIs using a regular expression which is vulnerable to a denial of service. Malicious SRIs could take an extremely long time to process, leading to denial of service. This issue only affects consumers using the strict option.
CVSS v3 Severity:7.5 High (CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (CCN Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
7.5 High (REDHAT CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
6.7 Medium (REDHAT Temporal CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P/RL:O/RC:C)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): High
CVSS v2 Severity:4.3 Medium (CVSS v2 Vector: AV:N/AC:M/Au:N/C:N/I:N/A:P)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Medium
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
7.8 High (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Complete
Vulnerability Type:CWE-Other
CWE-400
Vulnerability Consequences:Denial of Service
References:Source: MITRE
Type: CNA
CVE-2021-27290

Source: CONFIRM
Type: Patch, Third Party Advisory
https://cert-portal.siemens.com/productcert/pdf/ssa-389290.pdf

Source: CCN
Type: Doyensec Web site
Regular Expression Denial of service (ReDoS) in npm/ssri

Source: MISC
Type: Exploit, Patch, Third Party Advisory
https://doyensec.com/resources/Doyensec_Advisory_ssri_redos.pdf

Source: XF
Type: UNKNOWN
nodejs-cve202127290-dos(198144)

Source: CCN
Type: ssri GIT Repository
fix: simplify regex for strict mode, add tests

Source: MISC
Type: Exploit, Third Party Advisory
https://github.com/yetingli/SaveResults/blob/main/pdf/ssri-redos.pdf

Source: CCN
Type: Node.js Blog, 2021-07-01
July 2021 Security Releases

Source: MISC
Type: Product
https://npmjs.com

Source: CCN
Type: IBM Security Bulletin 6463295 (App Connect Enterprise)
IBM Integration Bus & IBM App Connect Enterprise V11 are affected by vulnerabilities in Node.js (CVE-2021-27290)

Source: CCN
Type: IBM Security Bulletin 6493729 (Cloud Pak for Security)
Cloud Pak for Security is vulnerable to several CVEs

Source: CCN
Type: IBM Security Bulletin 6494661 (Rational Application Developer for WebSphere Software)
Multiple vulnerabilities affect IBM Rational Application Developer for WebSphere Software - September 2021

Source: CCN
Type: IBM Security Bulletin 6497077 (App Connect Enterprise Certified Container)
IBM App Connect Enterprise Certified Container images may be vulnerable to Denial of Service attacks due to CVE-2021-23362 and CVE-2021-27290

Source: CCN
Type: IBM Security Bulletin 6507095 (Planning Analytics)
IBM Planning Analytics Workspace is affected by security vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6559694 (Watson Assistant for Cloud Pak for Data)
Security Bulletin: Vulnerability in Node.js-CVE-2021-23362, CVE-2021-22921, CVE-2021-22918, CVE-2021-27290 may affect IBM Watson Assistant for IBM Cloud Pak for Data.

Source: CCN
Type: IBM Security Bulletin 6564317 (Engineering Requirements Quality Assistant)
There are multiple vulnerabilites that affect IBM Engineering Requirements Quality Assistant On-Premises (CVE-2021-4104, CVE-2021-29469, CVE-2021-44531, CVE-2021-44531, CVE-2022-21824, CVE-2021-29899, CVE-2021-27290 )

Source: CCN
Type: IBM Security Bulletin 6573633 (QRadar Use Case Manager)
IBM QRadar Use Case Manager app is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6575667 (Spectrum Discover)
High severity vulnerabilities in libraries used by IBM Spectrum Discover (libraries of libraries)

Source: CCN
Type: IBM Security Bulletin 6590981 (QRadar Data Synchronization App)
IBM QRadar Data Synchronization App for IBM QRadar SIEM is vulnerable to using components with known vulnerabilities

Source: CCN
Type: IBM Security Bulletin 6591203 (Netcool Agile Service Manager)
Multiple Vulnerabilities in Node.js affects IBM Netcool Agile Service Manager

Source: CCN
Type: IBM Security Bulletin 6612727 (Cloud Pak System Software)
Multiple Vulnerabilities in Node.js affect IBM Cloud Pak System

Source: CCN
Type: Oracle CPUOct2021
Oracle Critical Patch Update Advisory - October 2021

Source: MISC
Type: Patch, Third Party Advisory
https://www.oracle.com/security-alerts/cpuoct2021.html

Vulnerable Configuration:Configuration 1:
  • cpe:/a:ssri_project:ssri:*:*:*:*:*:node.js:*:* (Version >= 7.0.0 and < 8.0.1)
  • OR cpe:/a:ssri_project:ssri:*:*:*:*:*:node.js:*:* (Version >= 5.2.2 and < 6.0.2)

    • Configuration 2:
  • cpe:/a:oracle:graalvm:20.3.3:*:*:*:enterprise:*:*:*
  • OR cpe:/a:oracle:graalvm:21.2.0:*:*:*:enterprise:*:*:*

    • Configuration 3:
  • cpe:/a:siemens:sinec_infrastructure_network_services:*:*:*:*:*:*:*:* (Version < 1.0.1.1)

    • Configuration RedHat 1:
  • cpe:/a:redhat:enterprise_linux:8:*:*:*:*:*:*:*

    • Configuration RedHat 2:
  • cpe:/a:redhat:enterprise_linux:8::appstream:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:nodejs:node.js:*:*:*:*:-:*:*:*
  • OR cpe:/a:ibm:rational_application_developer:9.6:*:*:*:websphere:*:*:*
  • OR cpe:/a:ibm:integration_bus:10.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect:11.0.0.0:*:*:*:enterprise:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.1:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.2:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.3:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:app_connect_enterprise_certified_container:1.0.4:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.1.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:cloud_pak_for_security:1.7.2.0:*:*:*:*:*:*:*
  • OR cpe:/a:ibm:planning_analytics:2.0:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    Oval Definitions
    Definition IDClassTitleLast Modified
    oval:org.opensuse.security:def:8159
    P
    		Security update for terraform-provider-null (Important)
    2023-06-21
    oval:org.opensuse.security:def:8157
    P
    		Security update for terraform-provider-aws (Important)
    2023-06-21
    oval:org.opensuse.security:def:8181
    P
    		Security update for terraform-provider-null (Important)
    2023-06-21
    oval:org.opensuse.security:def:8182
    P
    		Security update for terraform-provider-helm (Important)
    2023-06-21
    oval:org.opensuse.security:def:8160
    P
    		Security update for python-Flask (Important)
    2023-05-22
    oval:org.opensuse.security:def:8156
    P
    		Security update for openvswitch (Important)
    2023-05-19
    oval:org.opensuse.security:def:8158
    P
    		Security update for openvswitch (Important)
    2023-05-19
    oval:org.opensuse.security:def:6121
    P
    		Security update for libgda (Important) (in QA)
    2022-08-31
    oval:org.opensuse.security:def:6094
    P
    		Security update for squid (Important)
    2022-07-12
    oval:org.opensuse.security:def:99503
    P
    		 (Important)
    2022-03-23
    oval:org.opensuse.security:def:113037
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2022-01-17
    oval:org.opensuse.security:def:99710
    P
    		 (Moderate)
    2021-12-28
    oval:org.opensuse.security:def:99702
    P
    		 (Important)
    2021-12-06
    oval:org.opensuse.security:def:100019
    P
    		 (Important)
    2021-11-22
    oval:org.opensuse.security:def:93111
    P
    		 (Moderate)
    2021-11-09
    oval:org.opensuse.security:def:100011
    P
    		 (Moderate)
    2021-11-04
    oval:org.opensuse.security:def:106478
    P
    		nodejs14-14.17.5-1.2 on GA media (Moderate)
    2021-10-01
    oval:org.opensuse.security:def:93264
    P
    		 (Important)
    2021-09-03
    oval:com.redhat.rhsa:def:20213073
    P
    		RHSA-2021:3073: nodejs:12 security, bug fix, and enhancement update (Moderate)
    2021-08-10
    oval:com.redhat.rhsa:def:20213074
    P
    		RHSA-2021:3074: nodejs:14 security, bug fix, and enhancement update (Moderate)
    2021-08-10
    oval:org.opensuse.security:def:110997
    P
    		Security update for nodejs8 (Important)
    2021-08-10
    oval:org.opensuse.security:def:76278
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92760
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:8814
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69901
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:96125
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9372
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:70452
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99120
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:109480
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9761
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92170
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99511
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:67210
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:10312
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92561
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:8628
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69702
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69248
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:109481
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92958
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:118576
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:102814
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9009
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:70266
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:98925
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:9562
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:91975
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:99312
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69249
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:96124
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:118577
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:111653
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:10126
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:92362
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:102815
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:69512
    P
    		Security update for nodejs8 (Important)
    2021-08-05
    oval:org.opensuse.security:def:110975
    P
    		Security update for nodejs14 (Important)
    2021-07-19
    oval:org.opensuse.security:def:110976
    P
    		Security update for nodejs10 (Important)
    2021-07-19
    oval:org.opensuse.security:def:110973
    P
    		Security update for nodejs12 (Important)
    2021-07-19
    oval:org.opensuse.security:def:69246
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:109479
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:118574
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9753
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92162
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102812
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:67183
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:10304
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92553
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:8620
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69694
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69247
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:96122
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92950
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:118575
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:111623
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102813
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9001
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:70258
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69271
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:98917
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:93256
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:102265
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9554
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:91967
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:99304
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:96123
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:111624
    P
    		Security update for nodejs14 (Important)
    2021-07-15
    oval:org.opensuse.security:def:10118
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92354
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69504
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:109478
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:76251
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:92752
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:8806
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:69893
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:93103
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:9364
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:70444
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:99112
    P
    		Security update for nodejs10 (Important)
    2021-07-15
    oval:org.opensuse.security:def:96121
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:111621
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:69270
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20972
    P
    		Security update for nodejs10 (Important)
    2021-07-14
    oval:org.opensuse.security:def:102264
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:49442
    P
    		Security update for nodejs14 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20973
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:109477
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:49443
    P
    		Security update for nodejs10 (Important)
    2021-07-14
    oval:org.opensuse.security:def:69245
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:118573
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:102811
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    oval:org.opensuse.security:def:20971
    P
    		Security update for nodejs14 (Important)
    2021-07-14
    oval:org.opensuse.security:def:49444
    P
    		Security update for nodejs12 (Important)
    2021-07-14
    BACK
    ssri_project ssri *
    ssri_project ssri *
    oracle graalvm 20.3.3
    oracle graalvm 21.2.0
    siemens sinec infrastructure network services *
    nodejs node.js *
    ibm rational application developer 9.6
    ibm integration bus 10.0.0
    ibm app connect 11.0.0.0
    ibm app connect enterprise certified container 1.0.0
    ibm app connect enterprise certified container 1.0.1
    ibm app connect enterprise certified container 1.0.2
    ibm app connect enterprise certified container 1.0.3
    ibm app connect enterprise certified container 1.0.4
    ibm planning analytics 2.0
    ibm cloud pak for security 1.7.0.0
    ibm cloud pak for security 1.7.1.0
    ibm cloud pak for security 1.7.2.0
    ibm planning analytics 2.0