Nexus Intelligence Insights: Sonatype-2018-0413, flatmap-stream’s back, back again


Thought you cleaned up your malicious flatmap-stream code? Check again.

You may have thought you’d read everything there was to read about flatmap-stream and as a result, fixed the offending component once and for all. However, after a deeper inspection of embedded components potentially still in use, the Sonatype Data Research team has uncovered a different reality.

The situation is similar to this. Imagine if a large meat manufacturer shipped a bunch of bad beef that was recalled. They’ve cleaned up their act and gotten rid of the tainted product from all of their manufacturing and packaging plants. However, the meat they sold to Picabe Burgers months ago, has been formed into hamburgers and stored in the freezer, ready to be cooked and sold in the coming weeks. The meat manufacturer is no longer “vulnerable”, but you the consumer could be exposed or “exploited” by what remains. 

In this month’s Nexus Intelligence Insights, we’ll take a deeper dive into additional vector points that are at risk from the original flatmap-stream vulnerability, talk about something we at Sontatype call secondary expansion, and give remediation guidance on what to do next.  

Name of Vuln/Sonatype ID: Sonatype-2018-0413

Type of Vulnerability: Malicious code injection

Components Affected: 

  • @eyedea-sockets/messenger-bot  0.0.4
  • @eyedea-sockets/syncano-socket-intercom-integration  0.0.11
  • apollo-discover-resolvers  1.0.2
  • framework-data   9.7.1
  • generator-ozone-be    1.0.39
  • generator-ozone-be    1.0.41
  • generator-ozone-be    1.0.42
  • generator-ozone-be    1.0.43
  • generator-ozone-be    1.0.44
  • generator-ozone-be    1.0.45
  • generator-ozone-be    1.0.46
  • generator-ozone-be    1.0.47
  • hellhun_homelibrary    1.0.0
  • hellhun_homelibrary    1.0.1
  • koa-swapi    1.1.3
  • moab-mother   (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Elisa Velarde. Read the original post at:

Cloud Workload Resilience PulseMeter

Step 1 of 8

How do you define cloud resiliency for cloud workloads? (Select 3)(Required)