On Mon, 25 Oct 2021 05:29:53 -0500, Support, DUNNIT SYSTEMS LTD. <[email protected]> wrote:
>Correct. We installed node.js on our PCs in as part of the ZOWE CLI >installation. That is what we are concerned about. We do not understand >whether the reports I linked to may negatively affect us or not. > From the Zowe mailing list and I suspect we will see more and more of this as more and more opensource software ends up on z/OS: -------------------------------------------------------------------- Hello Zowe Users, We were informed of a published vulnerability in NPM dependencies which affected Zowe CLI’s secure-credential-store during the time period of Nov 4th to Nov 5th. If you installed the plugin from npmjs.org during the vulnerable window of time via a direct command line install, you should follow the recommended resolution steps from the security advisory here: https://github.com/advisories/GHSA-g2q5-5433-rhrf. You are not affected if you downloaded the secure credential store plugin from zowe.org or a Zowe support conformant vendor (IBM or Broadcom). You are not affected if you downloaded from any source prior to Nov 4. The following component versions were affected: @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts @zowe/secure-credential-store-for-zowe-cli@latest If you issued one of these commands Nov 4 or Nov 5, you should follow the above resolution steps: “zowe plugins install @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts” “zowe plugins install @zowe/secure-credential-store-for-zowe-cli@latest” Hello Zowe Developers, We found additional Zowe components which the above vulnerability affects at development time, during the same time period of Nov 4th - Nov 5th. There was a second hijacked dependency, https://github.com/veged/coa/issues/99, which contained the same exploit. Conditions for vulnerability: Zowe API Mediation Layer, Frontend Catalog (path: api-catalog-ui/frontend) If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised. If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Zowe Desktop Sample React Application (path: webClient) If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised. If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Zowe CLI If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Imperative If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
