Notification - Security Vulnerability - Please Read


Mark.Ackert@...
 

Hello Zowe Users,


We were informed of a published vulnerability in NPM dependencies which affected Zowe CLI’s secure-credential-store during the time period of Nov 4th to Nov 5th. If you installed the plugin from npmjs.org during the vulnerable window of time via a direct command line install, you should follow the recommended resolution steps from the security advisory here: https://github.com/advisories/GHSA-g2q5-5433-rhrf. You are not affected if you downloaded the secure credential store plugin from zowe.org or a Zowe support conformant vendor (IBM or Broadcom). You are not affected if you downloaded from any source prior to Nov 4.


   The following component versions were affected:


@zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts 

@zowe/secure-credential-store-for-zowe-cli@latest


If you issued one of these commands Nov 4 or Nov 5, you should follow the above resolution steps:


“zowe plugins install @zowe/secure-credential-store-for-zowe-cli@zowe-v1-lts”

“zowe plugins install @zowe/secure-credential-store-for-zowe-cli@latest”



Hello Zowe Developers,


We found additional Zowe components which the above vulnerability affects at development time, during the same time period of Nov 4th - Nov 5th. There was a second hijacked dependency, https://github.com/veged/coa/issues/99, which contained the same exploit.


Conditions for vulnerability:


  • Zowe API Mediation Layer, Frontend Catalog (path: api-catalog-ui/frontend)
    • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
    • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Zowe Desktop Sample React Application (path: webClient)
    • If you issued an “npm install” for the first time in this directory Nov 4 or Nov 5, you may have been compromised.
    • If you deleted any existing “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Zowe CLI
    • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.
  • Imperative 
    • If you deleted “package-lock.json” and then issued “npm install” for the first time Nov 4 or Nov 5, you may have been compromised.


Thank you


This electronic communication and the information and any files transmitted with it, or attached to it, are confidential and are intended solely for the use of the individual or entity to whom it is addressed and may contain information that is confidential, legally privileged, protected by privacy laws, or otherwise restricted from disclosure to anyone else. If you are not the intended recipient or the person responsible for delivering the e-mail to the intended recipient, you are hereby notified that any use, copying, distributing, dissemination, forwarding, printing, or copying of this e-mail is strictly prohibited. If you received this e-mail in error, please return the e-mail to the sender, delete it from your computer, and destroy any printed copy of it.

Join zowe-dev@lists.openmainframeproject.org to automatically receive all group messages.