Security issues with npm dependencies in Operations Support Portal?

Hi,

the Operations Support Portal and also API Server UI have dependencies to NPM packages. (KB 266000)

Recently, popular npm libraries, such as ua-parser, rc and coa were hijacked and infected with malware. 

See Embedded Malware in NPM: Coa, Rc, Ua-parser - FOSSAUnbekannte infiltrieren Paketmanager npm und verseuchen Tools mit Schadcode | heise online

If packages used by One Identity HTML5 applications were compromised, our fear is that we might be using those packages when compiling One Identity Manager HTML 5 applications. This would compromise the security and integrity of our OIM customer installation, as well as potentially our systems and data. 

We are not experts in npm security. Therefore, as One Identity seems to shift more and more to HTML 5, we have the following questions:

- Is that a risk for OIM customers at all?

- If so, how do you mitigate security and integrity risks for npm packages compiled into OIM?

- How is One Identity protecting customers?

Thanks,

Sebastian

  • No, because at some point you need to load the packages from npm. We will never ship all the required packages as part of Identity Manager.

    The package locking mechanism protects against the risk of compromised packages. What is the malware scenario?

  • Ok.. but a proxy prevents not from malware etc. risk it's only a buffer but the Server connected to the proxy is still taking the npm that is there if has malware or not.. hope only that the customer knows fast enough that the npm has malware before compiling with the proxy.. So in my opinion the main problem is not solved only 1 server in between.

    Can you explain me what is so difficult to do a full npm package .. normally customer needs not always the newest version only if you change mechanisms that work only on a newer version

  • What you describe cannot happen due to package locking. OneIM expects a specific version of a package with a unique hash. If it finds a package containing malware, the hashes will not match and NodeJS will refuse to load the compromised package.

    This has nothing to do with having an NPM proxy or not.