Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

critical vm2 security issues #5643

Open
vsanse opened this issue Jul 18, 2023 · 25 comments
Open

critical vm2 security issues #5643

vsanse opened this issue Jul 18, 2023 · 25 comments

Comments

@vsanse
Copy link

vsanse commented Jul 18, 2023

What's going wrong?

GHSA-cchq-frgv-rjh5

Security issue found in vm2, allows remote code execution

How could we reproduce this issue?

POC not yet disclosed.

Supporting information

vm2 is already deprecated. it suggests switching to isolated-vm
https://github.com/patriksimek/vm2#%EF%B8%8F-project-discontinued-%EF%B8%8F

$ pm2 report

OUTPUT

--- PM2 report ----------------------------------------------------------------
Date                 : Tue Jul 18 2023 07:27:44 GMT+0000 (Coordinated Universal Time)
===============================================================================
--- Daemon -------------------------------------------------
pm2d version         : 5.3.0
node version         : 16.20.0
node path            : /home/user/.nvm/versions/node/v16.20.0/bin/pm2
argv                 : /home/ec2-user/.nvm/versions/node/v16.20.0/bin/node,/home/user/.nvm/versions/node/v16.20.0/lib/node_modules/pm2/lib/Daemon.js
argv0                : node
user                 : ec2-user
uid                  : 1000
gid                  : 1000
uptime               : 21212min
===============================================================================
--- CLI ----------------------------------------------------
local pm2            : 5.3.0
node version         : 16.20.0
node path            : /home/user/.nvm/versions/node/v16.20.0/bin/pm2
argv                 : /home/user/.nvm/versions/node/v16.20.0/bin/node,/home/user/.nvm/versions/node/v16.20.0/bin/pm2,report
argv0                : node
user                 : ec2-user
uid                  : 1000
gid                  : 1000
===============================================================================
--- System info --------------------------------------------
arch                 : x64
platform             : linux
type                 : Linux
cpus                 : Intel(R) Xeon(R) CPU E5-2686 v4 @ 2.30GHz
cpus nb              : 2
freemem              : 2253070336
totalmem             : 4111364096
home                 : /home/user
===============================================================================
@gabrielenosso
Copy link

Up.
Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

@mterrel
Copy link

mterrel commented Jul 18, 2023

The proxy-agent dependency just released a new version 6.3.0 that no longer depends on vm2: https://github.com/TooTallNate/proxy-agents/releases

@boxexchanger
Copy link

boxexchanger commented Jul 19, 2023

Up. Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

+1
#5639

@eladkolet
Copy link

Up. Need this fixed ASAP for CI/CD Pipeline which recognizes this as a Critical risk

+1

+1

@ruslanrusu
Copy link

+1

3 similar comments
@Braicce
Copy link

Braicce commented Jul 19, 2023

+1

@OIRNOIR
Copy link

OIRNOIR commented Jul 19, 2023

+1

@frztmr
Copy link

frztmr commented Jul 21, 2023

+1

@lognaturel
Copy link

Thanks for maintaining pm2, @Unitech! Is there something I can do to help you with getting a new release out? Would a PR to bump proxy-agent be helpful? Any particular sanity checks with the new version that it might be helpful to do in preparation for a release?

@medbenmakhlouf
Copy link

+1

@cklat
Copy link

cklat commented Jul 24, 2023

+1

@Unitech
Is there anything that you may communicate at the moment?
Any timeline for the fix? Are you aware of the problem and are working on a solution?

@OIRNOIR
Copy link

OIRNOIR commented Jul 24, 2023

+1

@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

@OIRNOIR
Copy link

OIRNOIR commented Jul 24, 2023

+1

@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

An update was just released to @pm2/agent updating proxy-agent to version 6.3.0. Run npm update to ensure that you have the latest version. If your pm2 is installed globally, don't forget to also sudo npm update -g
Still awaiting a fix to the semver issue: keymetrics/pm2-io-agent#131

@orange1337
Copy link

+1

1 similar comment
@jrwhite17
Copy link

+1

@denodaeus
Copy link

Snyk is still reporting this as a vulnerability when I do a package.json overrides to pm2/agent@2.0.3, any thoughts?

CVE-2023-37466
Introduced through: pm2@5.3.0 › @pm2/agent@2.0.3 › proxy-agent@6.3.0 › pac-proxy-agent@7.0.0 › pac-resolver@5.0.0 › degenerator@3.0.4 › vm2@3.9.19
Fix: No remediation path available.

@Enrice
Copy link

Enrice commented Aug 2, 2023

yes. pac-proxy-agent@7.0.0 depends on pac-resolver@7.0.0 depends on degenerator@5.0.1 with no dependency on vm2!

@jieLi086
Copy link

May I ask how the progress is ?

+1
@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

@Enrice
Copy link

Enrice commented Aug 17, 2023

May I ask how the progress is ?

+1
@Unitech Is there anything that you may communicate at the moment? Any timeline for the fix? Are you aware of the problem and are working on a solution?

They are working on it.

I don't know what you mean.

  • vm2 is no longer a dependency
  • semver was updated to ~7.5.0, so current 7.5.4 with vulnerability fix can be used

@jieLi086
Copy link

Thank you for your answer. This has already solved my problem

@matthew-white
Copy link

Same here. For some reason, I thought the pm2 package had to change, and I was waiting for a pm2 release. It looks like just @pm2/agent, a subdependency of pm2, needs to be updated:

npm update @pm2/agent

@RobinTail
Copy link

Running yarn upgrade solved the issue for my project.

@OIRNOIR
Copy link

OIRNOIR commented Sep 17, 2023

This is all fixed. Feel free to close this issue.

@OIRNOIR
Copy link

OIRNOIR commented Sep 19, 2023

This is all fixed. Feel free to close this issue.

@vsanse

@tlebon
Copy link

tlebon commented Mar 6, 2024

for anyone using yarn:
add the following to your package.json and rerun yarn.
"resolutions": { "@pm2/agent": "2.0.3" },

confirm that vm2 is removed:
yarn why vm2 -R

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests