TPS-2021-002 http-signature
Overview
This notice is to advise Joyent customers and open source users of Triton and
Manta about a prototype pollution vulnerability in json-schema
, a 3rd-party
dependency of http-signature
. Http-signature is the authentication component
of CloudAPI and Manta.
It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature.
Description
Further details surrounding the vulnerability in json-schema
can be found in
the SNYK security advisory.
Actions taken by Joyent
Both Triton cloudapi and Manta webapi have been updated to address the
vulnerable dependency and will be available in the next Triton release.
Operators may also instlal an updated version of these components from the
dev
channel, which is available now.
Actions You Need to Take
Triton Enterprise
The method for applying this fix to your on-premises software installation will be to update cloudapi and/or mantav2-webapi to the the following image UUID using the dev channel:
- cloudapi:
fd51d138-0839-41f9-af81-e5dd37672195
- mantav2-webapi:
3f1f7282-8120-4e3e-9dc4-524c738e606b
Support
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.