aqan213
commented
3 years ago Hi, Can anyone help to check this issue? thanks,
Open aqan213 opened 3 years ago
aqan213
commented
3 years ago Hi, Can anyone help to check this issue? thanks,
dpdpbj
commented
3 years ago @aqan213 Hi, the request package has been deprecated, so we can't resolve the issue by upgrade the request package simply.
I checked the recommend package in issue https://github.com/request/request/issues/3143, I think we have to do lots of development and testing effort if we plan to replace the request package with one of alternative libraries. And now DC team has some more high priority work to complete asap.
I will address this issue and try to resolve it when the high priority work done.
aqan213
commented
3 years ago thanks for the update. The customer is supposed to fix it in Feb. Is it possible to address this issue asap or can you please give us a date when you plan to do it? thanks,
dpdpbj
commented
3 years ago I think we have to postpone this issue fix to 2Q.
Our customer reported a vulnerability in bluemix-autoscaling-agent caused by "request" package. The vulnerability reports that
"The request package is vulnerable to Weak Authentication Algorithm. The function function in oauth.js uses SHA-1 for authentication which is no longer considered cryptographically secure."
Here is the hierarchy of the "request" module tracking back to appmetrics
"request" --> "ibmapm-restclient" --> "ibmapm-embed" --> "appmetrics" --> bluemix-autoscaling-agent
According to request/request#2640 it looks like all versions of request are vulnerable and the request package is deprecated. Can you please take a look? Any plan to replace it? thanks,