CVE-2021-23337
📋 TL;DR
Lodash versions before 4.17.21 contain a command injection vulnerability in the template function that allows attackers to execute arbitrary commands on the host system. This affects any application using vulnerable Lodash versions, particularly web applications that process user input through template functions. The vulnerability stems from improper input validation in the template engine.
💻 Affected Systems
- Lodash
- Applications using Lodash library
- Java applications using org.webjars.npm:lodash or org.fujion.webjars:lodash
📦 What is this software?
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Corporate Lending Process Management by Oracle
View all CVEs affecting Banking Corporate Lending Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Credit Facilities Process Management by Oracle
View all CVEs affecting Banking Credit Facilities Process Management →
Banking Trade Finance Process Management by Oracle
View all CVEs affecting Banking Trade Finance Process Management →
Banking Trade Finance Process Management by Oracle
View all CVEs affecting Banking Trade Finance Process Management →
Banking Trade Finance Process Management by Oracle
View all CVEs affecting Banking Trade Finance Process Management →
Communications Cloud Native Core Binding Support Function by Oracle
View all CVEs affecting Communications Cloud Native Core Binding Support Function →
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Services Gatekeeper by Oracle
View all CVEs affecting Communications Services Gatekeeper →
Communications Session Border Controller by Oracle
View all CVEs affecting Communications Session Border Controller →
Communications Session Border Controller by Oracle
View all CVEs affecting Communications Session Border Controller →
Enterprise Communications Broker by Oracle
Enterprise Communications Broker by Oracle
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Financial Services Crime And Compliance Management Studio by Oracle
View all CVEs affecting Financial Services Crime And Compliance Management Studio →
Health Sciences Data Management Workbench by Oracle
View all CVEs affecting Health Sciences Data Management Workbench →
Health Sciences Data Management Workbench by Oracle
View all CVEs affecting Health Sciences Data Management Workbench →
Lodash by Lodash
Peoplesoft Enterprise Peopletools by Oracle
Peoplesoft Enterprise Peopletools by Oracle
Retail Customer Management And Segmentation Foundation by Oracle
View all CVEs affecting Retail Customer Management And Segmentation Foundation →
Sinec Ins by Siemens
Sinec Ins by Siemens
Sinec Ins by Siemens
⚠️ Risk & Real-World Impact
Worst Case
Full remote code execution leading to complete system compromise, data exfiltration, ransomware deployment, or lateral movement within the network.
Likely Case
Limited command execution within the application's context, potentially allowing file system access, data manipulation, or further privilege escalation.
If Mitigated
No impact if input validation prevents malicious template content or if the vulnerable function isn't used with untrusted input.
🎯 Exploit Status
Exploitation requires the application to use Lodash's template() function with user-controlled input. Public proof-of-concept code demonstrates command injection.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.17.21 and later
Vendor Advisory: https://github.com/lodash/lodash/releases/tag/4.17.21
Restart Required: No
Instructions:
1. Update Lodash dependency to version 4.17.21 or higher. 2. For npm: 'npm update lodash'. 3. For yarn: 'yarn upgrade lodash'. 4. Update package.json to specify 'lodash': '^4.17.21'. 5. Rebuild and redeploy application.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation and sanitization for any data passed to Lodash template() function
Disable Template Function
allRemove or disable usage of Lodash template() function if not required
🧯 If You Can't Patch
- Implement strict input validation to prevent malicious template content
- Use application firewalls (WAF) to block command injection patterns
🔍 How to Verify
Check if Vulnerable:
Check package.json or package-lock.json for lodash version below 4.17.21. Run 'npm list lodash' or 'yarn list lodash' to check installed version.Check Version:
npm list lodash | grep lodash OR node -e "console.log(require('lodash').VERSION)"Verify Fix Applied:
Confirm lodash version is 4.17.21 or higher using 'npm list lodash' or checking package.json. Test template functionality with safe inputs.📡 Detection & Monitoring
Log Indicators:
- Unusual command execution patterns
- Template processing errors with suspicious content
- System command execution from application context
Network Indicators:
- Outbound connections from application to unexpected destinations
- Command and control traffic patterns
SIEM Query:
source="application_logs" AND ("template injection" OR "command execution" OR "lodash template")🔗 References
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
- https://cert-portal.siemens.com/productcert/pdf/ssa-637483.pdf
- https://github.com/lodash/lodash/blob/ddfd9b11a0126db2302cb70ec9973b66baec0975/lodash.js%23L14851
- https://security.netapp.com/advisory/ntap-20210312-0006/
- https://snyk.io/vuln/SNYK-JAVA-ORGFUJIONWEBJARS-1074932
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARS-1074930
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWER-1074928
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSBOWERGITHUBLODASH-1074931
- https://snyk.io/vuln/SNYK-JAVA-ORGWEBJARSNPM-1074929
- https://snyk.io/vuln/SNYK-JS-LODASH-1040724
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpujan2022.html
- https://www.oracle.com/security-alerts/cpujul2022.html
- https://www.oracle.com/security-alerts/cpuoct2021.html
