Re: Asking for a friend - reported NPM/node.js vulnerabilities
Thanks for the update. I've now also come across this, though I haven't a clue whether this might affect ZOWE users: Popular 'coa' NPM library hijacked to steal user passwords https://www.bleepingcomputer.com/news/security/popular-coa-npm-library-hijacked-to-steal-user-passwords/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Asking for a friend - reported NPM/node.js vulnerabilities
On Mon, 25 Oct 2021 05:29:53 -0500, Support, DUNNIT SYSTEMS LTD. wrote: >Correct. We installed node.js on our PCs in as part of the ZOWE CLI >installation. That is what we are concerned about. We do not understand >whether the reports I linked to may negatively affect us or not. > From the Zowe mailing list and I suspect we will see more and more of this as more and more opensource software ends up on z/OS: Hello Zowe Users, We were informed of a published vulnerability in NPM dependencies which affected Zowe CLI’s secure-credential-store during the time period of Nov 4th to Nov 5th. If you installed the plugin from npmjs.org during the vulnerable window of time via a direct command line install, you should follow the recommended resolution steps from the security advisory here: https://github.com/advisories/GHSA-g2q5-5433-rhrf. You are not affected if you downloaded the secure credential store plugin from zowe.org or a Zowe support conformant vendor (IBM or Broadcom). You are not affected if you downloaded from any source prior to Nov 4. The following component versions were affected: @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts @zowe/secure-credential-store-for-zowe-cli@latest If you issued one of these commands Nov 4 or Nov 5, you should follow the above resolution steps: “zowe plugins install @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts” “zowe plugins install @zowe/secure-credential-store-for-zowe-cli@latest” Hello Zowe Developers, We found additional Zowe components which the above vulnerability affects at development time, during the same time period of Nov 4th - Nov 5th. There was a second hijacked dependency, https://github.com/veged/coa/issues/99, which contained the same exploit. Conditions for vulnerability: Zowe API Mediation Layer, Frontend Catalog (path: api-catalog-ui/frontend) If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised. If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Zowe Desktop Sample React Application (path: webClient) If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised. If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Zowe CLI If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. Imperative If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Asking for a friend - reported NPM/node.js vulnerabilities
Correct. We installed node.js on our PCs in as part of the ZOWE CLI installation. That is what we are concerned about. We do not understand whether the reports I linked to may negatively affect us or not. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Asking for a friend - reported NPM/node.js vulnerabilities
On Sun, 24 Oct 2021 05:40:29 -0500, Support, DUNNIT SYSTEMS LTD. wrote: The only area where this could possibly be used under z/OS is with node.js and I don't know if the version which runs on z/OS uses this version or is one just for z/OS. You would be running node.js if you run ZOWE and some other opensource based products... Sebastian >I know very little about the technical side of anything Java. Those of you who >are wiser, could be please look at these 2 articles and help the rest of us to >understand how and where - if at all - this poses risks on the z/OS machine >side, as well as on the platforms connected to z/OS and to our non-MF work >environments in general (mine is Win10). Thanks. > >https://www.reddit.com/r/programming/comments/qdlela/breaking_npm_package_uaparserjs_with_more_than_7m/ > >https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/ > >-- >For IBM-MAIN subscribe / signoff / archive access instructions, >send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Asking for a friend - reported NPM/node.js vulnerabilities
Are there copies that don't require a logon? Are you using UA-Parse-JS, directly or indirectly? -- Shmuel (Seymour J.) Metz http://mason.gmu.edu/~smetz3 From: IBM Mainframe Discussion List on behalf of Support, DUNNIT SYSTEMS LTD. Sent: Sunday, October 24, 2021 6:40 AM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Asking for a friend - reported NPM/node.js vulnerabilities I know very little about the technical side of anything Java. Those of you who are wiser, could be please look at these 2 articles and help the rest of us to understand how and where - if at all - this poses risks on the z/OS machine side, as well as on the platforms connected to z/OS and to our non-MF work environments in general (mine is Win10). Thanks. https://secure-web.cisco.com/1zlOqtW_sg5snAIdl-fklv-oNgBvO8lzPkMedyduyMdFRE_sj4fRS70CRQEf9TBaubNRedbb8vED6GbgA3iUhY9vyEWI5MrLbSdFKaNnsW9u6ZbhP7tPz_yedvo6rdX6iYHFnm0DDqcrkKA66uqMrDlUOYS-mivp8lrJorKSdQeOyXBii1aAl5HrV5BlbeMb3TjZAkRAnLPnIT6QOVLIhy2kT2dt4jIC43Jiq_TXwj-L-iZlmb6Fwm-4N46_x0_VF90ooMBSlNIL8p6--zB_fndOdwt_55d5BqkEB-FGRpzoHIPNjv4Sj04WuW4deEw1sA-yY7Gb9o0LrE26nsz7bfM4ozQLp2fM18xRMYyYjCcYRO6QJJ3VV85VGsVT3wQSHhKH6WH3b2R-j4QBP0M89hDPOXM8YmC6vHB18M8Ur4RUlisus3IA-PQ1I49B5R3DA2tXKiR1bOn25USjlR9HAYA/https%3A%2F%2Fwww.reddit.com%2Fr%2Fprogramming%2Fcomments%2Fqdlela%2Fbreaking_npm_package_uaparserjs_with_more_than_7m%2F https://secure-web.cisco.com/1hGtbwjX0w7zZ0z3CA9QEfF9DZlsqSyYXiWO_a4xI3DUuvzjPo6iAsBA69KAyw0qJHc-cH6dJsvu1MftWsgzLec2Q-GXBZiZV1NBdHNOjEYpetdegDeHaq6icearVRRe9M9XWaQKAQqXbRMpctJRE0TRsZ6fE7zDIp-JZUVjNPh3qH_l2pxJLw4ieYeBnH8AJ35n483IXN-zIuB6DmfBrjSZ6MgWr47fSTxU22scYEfex7ZlV0mHxgs8UqY0RlPYZDYMWsRjvuEFrZ1SL3Gj0w0TkzzwfCjuoh7MadSwuPSxfZujr9dmMPlwjm6dDnjexb1oUOxXguz-lqYcmZwGnSpdCOrDdPz2jHMERONO6hdFbQsYzfjFHajEgu-bwWmjy3Bh-i1I8eEFU-zPaOYAfFZS6NVU0gE_crg1mkK8W8XutTqPTJHAZpYFtQ5ylD1PR/https%3A%2F%2Fwww.bleepingcomputer.com%2Fnews%2Fsecurity%2Fpopular-npm-library-hijacked-to-install-password-stealers-miners%2F -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Re: Asking for a friend - reported NPM/node.js vulnerabilities
On Sun, 24 Oct 2021, at 11:40, Support, DUNNIT SYSTEMS LTD. wrote: > I know very little about the technical side of anything Java. The articles are not about Java, but the unrelated and completely different language Javascript. Javascript often runs in a browsr (ie client-side) but there's also a variant "node-js" which can be used on servers (instead of using eg php), and - I think - also installed on users' machines to be used as just another scripting language (so, like perl, python or REXX). -- Jeremy Nicoll - my opinions are my own. -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
Asking for a friend - reported NPM/node.js vulnerabilities
I know very little about the technical side of anything Java. Those of you who are wiser, could be please look at these 2 articles and help the rest of us to understand how and where - if at all - this poses risks on the z/OS machine side, as well as on the platforms connected to z/OS and to our non-MF work environments in general (mine is Win10). Thanks. https://www.reddit.com/r/programming/comments/qdlela/breaking_npm_package_uaparserjs_with_more_than_7m/ https://www.bleepingcomputer.com/news/security/popular-npm-library-hijacked-to-install-password-stealers-miners/ -- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
