TPS-2021-002 http-signature

Overview

This notice is to advise Joyent customers and open source users of Triton and Manta about a prototype pollution vulnerability in json-schema, a 3rd-party dependency of http-signature. Http-signature is the authentication component of CloudAPI and Manta.

It is not known that http-signature is exploitable, but has been updated to preclude the possibility of exploitation. Triton cloudapi and Manta webapi have been updated with the current version of http-signature.

Description

Further details surrounding the vulnerability in json-schema can be found in the SNYK security advisory.

Actions taken by Joyent

Both Triton cloudapi and Manta webapi have been updated to address the vulnerable dependency and will be available in the next Triton release. Operators may also instlal an updated version of these components from the dev channel, which is available now.

Actions You Need to Take

Triton Enterprise

The method for applying this fix to your on-premises software installation will be to update cloudapi and/or mantav2-webapi to the the following image UUID using the dev channel:

• cloudapi: fd51d138-0839-41f9-af81-e5dd37672195
• mantav2-webapi: 3f1f7282-8120-4e3e-9dc4-524c738e606b

Support

If you are a Joyent customer and have any further questions or concerns after reading the information provided above, please contact Joyent Support.

If you are an Open Source SmartOS/Triton user, please direct any further questions to the SmartOS Community Mailing Lists and IRC.

References

• https://security.snyk.io/vuln/SNYK-JS-JSONSCHEMA-1920922
• https://smartos.org/bugview/TRITON-2265