search

bluehalo / node-fhir-server-core

An Open Source secure REST implementation for the HL7 FHIR Specification. For API documentation, please see https://github.com/Asymmetrik/node-fhir-server-core/wiki.
https://asymmetrik.com/healthcare
MIT License
391 stars 120 forks source link

Elliptic Timing Attack #215

Closed awatson1978 closed 4 years ago

awatson1978 commented 4 years ago

Do you want to request a feature, report a bug, or improve documentation?

Reporting a security defect.

Hello, Linux Community Bridge is reporting a Timing Attack based on the elliptic library, which is included in node-fhir-server-core based on the jwk-to-pem library which uses it as a dependency.

Screen Shot 2019-12-04 at 12 42 03 PM

I've confirmed that its' jwk-to-pem pulling in elliptic:^6.2.3, and have reported the issue to them in brightspace/node-jwk-to-pem#33

Possible resolutions include removing jwk-to-pem from node-fhir-server-core, or working with Brightspace to get their library patched and then updating the FHIR Server.

j3parker commented 4 years ago

We merged a fix submitted by a community member: https://github.com/Brightspace/node-jwk-to-pem/pull/32

Sorry for the delay on this! We actually got a PR for this earlier but it slipped through the cracks :(