Oracle Linux 9 : nodejs / and / nodejs-nodemon (ELSA-2022-6595)

critical Nessus Plugin ID 165309

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2022-6595 advisory.

- This affects the package ini before 1.3.6. If an attacker submits a malicious INI file to an application that parses it with ini.parse, they will pollute the prototype on the application. This can be exploited further depending on the context. (CVE-2020-7788)

- A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

- The llhttp parser in the http module in Node.js v17.x does not correctly parse and validate Transfer- Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

- The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.
(CVE-2022-33987)

- The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). (CVE-2022-32214)

- The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer- Encoding headers. This can lead to HTTP Request Smuggling (HRS). (CVE-2022-32215)

- npm pack ignores root-level .gitignore and .npmignore file exclusion directives when run in a workspace or with a workspace flag (ie. `--workspaces`, `--workspace=<name>`). Anyone who has run `npm pack` or `npm publish` inside a workspace, as of v7.9.0 and v7.13.0 respectively, may be affected and have published files into the npm registry they did not intend to include. Users should upgrade to the latest, patched version of npm v8.11.0, run: npm i -g [email protected] . Node.js versions v16.15.1, v17.19.1, and v18.3.0 include the patched v8.11.0 version of npm. (CVE-2022-29244)

- This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator. (CVE-2020-28469)

- ansi-regex is vulnerable to Inefficient Regular Expression Complexity (CVE-2021-3807)

- The normalize-url package before 4.5.1, 5.x before 5.3.1, and 6.x before 6.0.1 for Node.js has a ReDoS (regular expression denial of service) issue because it has exponential performance for data: URLs.
(CVE-2021-33502)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2022-6595.html

Plugin Details

Severity: Critical

ID: 165309

File Name: oraclelinux_ELSA-2022-6595.nasl

Version: 1.3

Type: local

Agent: unix

Published: 9/22/2022

Updated: 9/30/2022

Supported Sensors: Frictionless Assessment Agent, Nessus Agent

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.5

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

Temporal Vector: E:U/RL:OF/RC:C

CVSS Score Source: CVE-2020-7788

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: E:U/RL:O/RC:C

CVSS Score Source: CVE-2022-32215

Vulnerability Information

CPE: cpe:/o:oracle:linux:9, p-cpe:/a:oracle:linux:nodejs, p-cpe:/a:oracle:linux:nodejs-docs, p-cpe:/a:oracle:linux:nodejs-full-i18n, p-cpe:/a:oracle:linux:nodejs-libs, p-cpe:/a:oracle:linux:nodejs-nodemon, p-cpe:/a:oracle:linux:npm

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 9/22/2022

Vulnerability Publication Date: 12/11/2020

Reference Information

CVE: CVE-2020-7788, CVE-2020-28469, CVE-2021-3807, CVE-2021-33502, CVE-2022-29244, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-33987

IAVB: 2022-B-0036