This notice is to advise Joyent customers and open source users of Triton and
Manta about a prototype pollution vulnerability in
json-schema, a 3rd-party
http-signature. Http-signature is the authentication component
of CloudAPI and Manta.
It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature.
Further details surrounding the vulnerability in
json-schema can be found in
the SNYK security advisory.
Actions taken by Joyent
Both Triton cloudapi and Manta webapi have been updated to address the
vulnerable dependency and will be available in the next Triton release.
Operators may also instlal an updated version of these components from the
dev channel, which is available now.
Actions You Need to Take
The method for applying this fix to your on-premises software installation will be to update cloudapi and/or mantav2-webapi to the the following image UUID using the dev channel:
If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.
If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.