SynopsisThe remote SUSE host is missing one or more security updates.
DescriptionThe remote SUSE Linux SLES12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3184-1 advisory.
- nodejs: Use-after-free on close http2 on stream canceling (CVE-2021-22930)
- Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. (CVE-2021-22931)
- If the Node.js https API was used incorrectly and undefined was in passed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificate would have been accepted. (CVE-2021-22939)
- Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. (CVE-2021-22940)
- c-ares: Missing input validation of host names may lead to domain hijacking (CVE-2021-3672)
Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
SolutionUpdate the affected nodejs14, nodejs14-devel, nodejs14-docs and / or npm14 packages.
File Name: suse_SU-2021-3184-1.nasl
Supported Sensors: Nessus Agent
Temporal Vector: E:U/RL:OF/RC:C
Temporal Vector: E:U/RL:O/RC:C
CPE: p-cpe:/a:novell:suse_linux:nodejs14, p-cpe:/a:novell:suse_linux:nodejs14-devel, p-cpe:/a:novell:suse_linux:nodejs14-docs, p-cpe:/a:novell:suse_linux:npm14, cpe:/o:novell:suse_linux:12
Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list
Exploit Ease: No known exploits are available
Patch Publication Date: 9/22/2021
Vulnerability Publication Date: 8/11/2021