Vulnerability in hoek package

[warpdesign]

There is a vulnerability in the hoek package which is required by hawk that request depends on.

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem.

[crccheck]

I tried just bumping to hawk v7.0.7 earlier today but the test broke. I had to jump off to do something else but I only got as far as this faster way to run the test:

npx taper tests/test-hawk.js

[dan-nl]

as far as i understand it, the issue is with a cve, https://nvd.nist.gov/vuln/detail/CVE-2018-3728, regarding hoek < v5.0.3; request v2.85.1 requires hawk ~6.0.2, which requires hoek 4.x.x. request requires hawk ~6.0.2 to maintain compatibility with node 4.

• the cve states that “hoek node module before 5.0.3 suffers from …” and references hapijs/hoek@32ed5c9 as a fix in hoek v5.0.3

• however, hoek v4.2.1 also has that fix:
  hapijs/hoek@5aed1a8
  https://github.com/hapijs/hoek/blob/v4.2.1/lib/index.js#L116

thus, it appears that the cve is incorrectly considering hoek v4.2.1 as vulnerable and may be why so many github repos are now reporting a vulnerability. i sent an email to nvd.nist.gov about the issue.

[ptrcnull]

See here: #2891 (comment)

[PhilippeVay]

To confirm the findings of dan-nl, both links from securityfocus and hackerone in the CVE state that it has been fixed

Not Vulnerable:
| Hoek Hoek 4.2.1
| Hoek Hoek 5.0.3

vdeturckheim posted a comment. Feb 15th (2 months ago)
Fix has been backported to 4.x track of the module and published as 4.2.1. (see hapijs/hoek#231 )

and it's confirmed by @nlf in hapijs/hoek#230 (comment)

It has been fixed.
To further discuss, (…)

[jfoclpf]

@warpdesign you said

Request depends on hawk version ~6.0.2. Updating to hawk version 7.0.0 would fix the problem

But how do I do that if I don't have hawk directly as a dependency?

autocosts@5.4.4 /home/jfolpf/autocosts
└─┬ request@2.85.0
  └─┬ hawk@6.0.2
    ├─┬ boom@4.3.1
    │ └── hoek@4.2.1  deduped
    ├─┬ cryptiles@3.1.2
    │ └─┬ boom@5.2.0
    │   └── hoek@4.2.1  deduped
    ├── hoek@4.2.1 
    └─┬ sntp@2.1.0
      └── hoek@4.2.1  deduped

which npm command? npm update request didn't do the job. Nor npm update hoek
thanks

[jbreckmckye]

You can't. You have to wait until Request publishes a new version that uses Hawk 7. That's the problem.

[johnbeech]

Can confirm, I've had 6 repos flagged by github for having the hoek vulnerability because of the request library.

[warpdesign]

@jfoclpf I guess it should be possible to temporary fix the problem by publishing forks with an updated version. But you don't want to go this road. Better wait for an official resolution (which shouldn't be long to come this the vce state just needs to be updated for hoek v4.2.1).

[jfoclpf]

According to what I have been told from other packages, it's a false positive from github. There is no vulnerability in that version of hoek. Nonetheless it's annoying and thus let's wait for an official update of request.

[dscalzi]

The Node.js 4.x release line is going end of life April 30th, compatibility with it should not be a concern after then.

[nlf]

yes, hi 👋 hoek maintainer here. version 4.2.1 has been patched. github's alerts are currently wrong. i've submitted a request to correct the version range in the CVE and also harassed some kind folks at github to take care of things on their end. hopefully they'll stop reporting that version as vulnerable soon.

[yumetodo]

#2926 (comment)
version 4.2.1 has been patched

hapijs/hoek#247 (comment)
I submitted a request to update the CVE, hopefully that’ll happen soon and GitHub can get their db updated. Until that happens this is all out of my hands. I’m leaving this open in the hopes other people will find it.

!?

[dan-nl]

@dscalzi,

hawk > v7.0.0 drops support for node 4 and 6
https://github.com/hueniverse/hawk/blob/v7.0.1/.travis.yml

hawk >= v7.0.0 includes hoek 5.x.x
https://github.com/hueniverse/hawk/blob/master/package.json#L19

hoek v5.x.x drops support for node 4 and 6
https://github.com/hapijs/hoek/blob/v5.0.0/.travis.yml

[diamont1001]

How is this issue going now plz?

[ptrcnull]

@diamont1001 it's already fixed

[diamont1001]

@Bjornskjald are u sure?

request@2.85.0/1 -> hawk@6.0.2 -> hoek@4.x.x

[ptrcnull]

@diamont1001 hoek 4.2.1 has the bugfix backported

[diamont1001]

@Bjornskjald

[ptrcnull]

@diamont1001 because if you weren't lazy enough to read the whole discussion, you would see it's a bug with GitHub and hoek maintainer already contacted them...

[JessicaSachs]

@nlf Thanks for updating this thread earlier! Any response from Github yet? I'm considering pinging them as well...

[debragail]

status update?

[cmfcmf]

status update?

@phillmv from @github staff has posted an explanation at hapijs/hoek#247 (comment):

[...] We fixed the versions we alert on back on Monday, and I personally deleted all the bad alerts earlier today. [...]

[ghost]

Hi, I have read all the discussion but I am still having the issue.
I have run npm audit and reported me about 11 vulnerability to hoek package.
I have update it to 7.0.7 but nothing changed. I have also updated the hawk package as suggested above but still nothing changed.
Can you help me please?

[diamont1001]

@NadGu plz check your package-lock.json file first.

[ghost]

@diamont1001 done right now. The version of hoek is 4.2.1. What can I do to update it?

[diamont1001]

hoek@4.2.1 is ok.
I think that u just have to wait for github to refresh the data, at least I did it at the time, and it worked.

[ghost]

@diamont1001 So let's wait! At least I did all that I could. Thank you!

[phillmv]

@nadgu Hi!

Are you saying you have a repository on GitHub where we're still flagging a version of 4.2.1 as being vulnerable? That shouldn't be happening!

Please email support@github.com with the repository link and mention @phillmv and we'll take it from there :).

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.