Open Vulnerabilites

[jdonnell01]

Hello,

Is there a plan to address the open vulnerabilities against shiny server?

• Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution
  https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-10744

• Versions of handlebars before 4.3.0 are vulnerable to Prototype Pollution
  Disallow calling "helperMissing" and "blockHelperMissing" directly handlebars-lang/handlebars.js#1558

Thank you

[wch]

Where are you seeing lodash in this repository?

[jdonnell01]

I am referencing this Dockerfile (https://github.com/rocker-org/shiny/blob/master/Dockerfile) which consumes shiny server from https://download3.rstudio.org/ubuntu-14.04/x86_64. When I scan this installation the results indicate a dependency on lodash and handlebars which have identified security vulnerabilities.

It is possible that the lodash dependency originates from another package as part of the Dockerfile, however it seems the Pro version of Shiny Server leverages lodash (vulnerability was remediated in v1.5.12 -> https://support.rstudio.com/hc/en-us/articles/215642837-Shiny-Server-Pro-Release-History).

However, is there a plan to upgrade these dependencies for shiny server?
Thank you

[jdonnell01]

Hello - is there a plan to update these dependencies?
Thank you

[jcheng5]

Master is updated, release is a few weeks away. We're waiting on another Node.js v12 release and then a QA pass.

[jdonnell01]

Understood - if you could please kindly reply when the new version is released. Thank you

[jdonnell01]

Hello - is there any update on the release or are you still waiting on the new Node.js version?

Thank you,
John

[jcheng5]

Hi John,

The new Node.js version was released on Tuesday and we have new builds being tested by QA. We're hoping to have an official release in early February or so.

If you'd like to do your own testing in the meantime, you can download builds of Shiny Server at https://dailies.rstudio.com (all the usual caveats about prerelease software apply).

[dvasilen]

@jcheng5
Please advise on the ETA for the new Shiny Server GA with these fixes. Thanks!

[jdonnell01]

Hello @jcheng5,

Just following up on this issue. Can you please advise as to when you plan to release the new version of Shiny Server with these vulnerabilities addressed?

I appreciate the support here.

[jcheng5]

Sorry, testing has been and continues to go on—it’s just taking longer than expected. It has been and continues to be the top priority for everyone involved.

[jcheng5]

We were hoping to ship this week, but a fatal bug in a third-party component of Shiny Server Pro is holding us up. We're doing everything we can to try to get past this. Thanks for your continued patience.

[jcheng5]

Shiny Server Open Source 1.5.13 is now ready for release:

Ubuntu: https://s3.amazonaws.com/rstudio-shiny-server-os-build/ubuntu-14.04/x86_64/shiny-server-1.5.13.944-amd64.deb

RedHat/SLES: https://s3.amazonaws.com/rstudio-shiny-server-os-build/centos6.3/x86_64/shiny-server-1.5.13.944-x86_64.rpm

Shiny Server Pro still requires a few more days of testing.

[jcheng5]

Oh, sorry I forgot to alert this thread--as of a couple of days ago, Shiny Server Pro 1.5.13 is available as well. Thank you for your patience.

[jdonnell01]

Hello,

Thank you again for addressing these vulnerabilites.
However, when I ingested the latest image from DockerHub (https://hub.docker.com/r/rocker/shiny) there were identified security vulnerabilites - please see below. Can these possibly be remediated?

Thank you

{
"file": "/opt/shiny-server/node_modules/minimist/index.js",
"name": "CVE-2020-7598",
"type": "CVE",
"description": "minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.",
"score": "7.5",
"severity": "high",
"publishdate": "2020-03-11",
"acknowledged": false,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-7598",
"score_version": "CVSS v2",
"solution": "minimist - 0.2.1,1.2.2",
"vendor_name": "",
"vendor_severity": "high",
"vendor_statement": "",
"fix_version": "minimist - 0.2.1,1.2.2"
},
{
"file": "/usr/lib/python3.7/urllib/request.py",
"name": "CVE-2020-8492",
"type": "CVE",
"description": "Python 2.7 through 2.7.17, 3.5 through 3.5.9, 3.6 through 3.6.10, 3.7 through 3.7.6, and 3.8 through 3.8.1 allows an HTTP server to conduct Regular Expression Denial of Service (ReDoS) attacks against a client because of urllib.request.AbstractBasicAuthHandler catastrophic backtracking.",
"score": "7.1",
"severity": "high",
"publishdate": "2020-01-30",
"acknowledged": false,
"url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2020-8492",
"score_version": "CVSS v2",
"solution": "",
"vendor_name": "",
"vendor_severity": "medium",
"vendor_statement": "",
"fix_version": ""
},