SUSE SLES12 Security Update : nodejs18 (SUSE-SU-2023:0408-1)

critical Nessus Plugin ID 171492

Language:

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2023:0408-1 advisory.

This update ships nodejs18 (jsc#PED-2097)

Update to NodejJS 18.13.0 LTS:

* build: disable v8 snapshot compression by default
* crypto: update root certificates
* deps: update ICU to 72.1
* doc:

- add doc-only deprecation for headers/trailers setters
- add Rafael to the tsc
- deprecate use of invalid ports in url.parse
- deprecate url.parse()

* lib: drop fetch experimental warning
* net: add autoSelectFamily and autoSelectFamilyAttemptTimeout options
* src:

- add uvwasi version
- add initial shadow realm support

* test_runner:

- add t.after() hook
- don't use a symbol for runHook()

* tls:

- add 'ca' property to certificate object

* util:

- add fast path for utf8 encoding
- improve textdecoder decode performance
- add MIME utilities

- Fixes compatibility with ICU 72.1 (bsc#1205236)
- Fix migration to openssl-3 (bsc#1205042)

Update to NodeJS 18.12.1 LTS:

* inspector: DNS rebinding in --inspect via invalid octal IP (bsc#1205119, CVE-2022-43548)

Update to NodeJS 18.12.0 LTS:

* Running in 'watch' mode using node --watch restarts the process when an imported file is changed.
* fs: add FileHandle.prototype.readLines
* http: add writeEarlyHints function to ServerResponse
* http2: make early hints generic
* util: add default value option to parsearg

Update to NodeJS 18.11.0:

* added experimental watch mode -- running in 'watch' mode using node --watch restarts the process when an imported file is changed
* fs: add FileHandle.prototype.readLines
* http: add writeEarlyHints function to ServerResponse
* http2: make early hints generic
* lib: refactor transferable AbortSignal
* src: add detailed embedder process initialization API
* util: add default value option to parsearg

Update to NodeJS 18.10.0:

* deps: upgrade npm to 8.19.2
* http: throw error on content-length mismatch
* stream: add ReadableByteStream.tee()

Update to Nodejs 18.9.1:

* deps: llhttp updated to 6.0.10

- CVE-2022-32213 bypass via obs-fold mechanic (bsc#1201325)
- Incorrect Parsing of Multi-line Transfer-Encoding (CVE-2022-32215, bsc#1201327)
- Incorrect Parsing of Header Fields (CVE-2022-35256, bsc#1203832)

* crypto: fix weak randomness in WebCrypto keygen (CVE-2022-35255, bsc#1203831)

Update to Nodejs 18.9.0:

* lib - add diagnostics channel for process and worker
* os - add machine method
* report - expose report public native apis
* src - expose environment RequestInterrupt api
* vm - include vm context in the embedded snapshot

Changes in 18.8.0:

* bootstrap: implement run-time user-land snapshots via
--build-snapshot and --snapshot-blob. See
* crypto:
- allow zero-length IKM in HKDF and in webcrypto PBKDF2
- allow zero-length secret KeyObject
* deps: upgrade npm to 8.18.0
* http: make idle http parser count configurable
* net: add local family
* src: print source map error source on demand
* tls: pass a valid socket on tlsClientError

Update to Nodejs 18.7.0:

* events: add CustomEvent
* http: add drop request event for http server
* lib: improved diagnostics_channel subscribe/unsubscribe
* util: add tokens to parseArgs

- enable crypto policy ciphers for TW and SLE15 SP4+ (bsc#1200303)

Update to Nodejs 18.6.0:

* Experimental ESM Loader Hooks API. For details see, https://nodejs.org/api/esm.html
* dns: export error code constants from dns/promises
* esm: add chaining to loaders
* http: add diagnostics channel for http client
* http: add perf_hooks detail for http request and client
* module: add isBuiltIn method
* net: add drop event for net server
* test_runner: expose describe and it
* v8: add v8.startupSnapshot utils

For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.6.0

Update to Nodejs 18.5.0:

* http: stricter Transfer-Encoding and header separator parsing (bsc#1201325, bsc#1201326, bsc#1201327, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215)
* src: fix IPv4 validation in inspector_socket (bsc#1201328, CVE-2022-32212)

For details, see https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.5.0

Update to Nodejs 18.4.0. For detailed changes see,

https://github.com/nodejs/node/blob/main/doc/changelogs/CHANGELOG_V18.md#18.4.0
- refreshed: versioned.patch, linker_lto_jobs.patch, nodejs-libpath.patch

Initial packaging of Nodejs 18.2.0. For detailed changes since previous versions, see https://github.com/nodejs/node/blob/master/doc/changelogs/CHANGELOG_V18.md#18.2.0

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected nodejs18, nodejs18-devel, nodejs18-docs and / or npm18 packages.

See Also

https://bugzilla.suse.com/1200303

https://bugzilla.suse.com/1201325

https://bugzilla.suse.com/1201326

https://bugzilla.suse.com/1201327

https://bugzilla.suse.com/1201328

https://bugzilla.suse.com/1203831

https://bugzilla.suse.com/1203832

https://bugzilla.suse.com/1205042

https://bugzilla.suse.com/1205119

https://bugzilla.suse.com/1205236

https://www.suse.com/security/cve/CVE-2022-32212

https://www.suse.com/security/cve/CVE-2022-32213

https://www.suse.com/security/cve/CVE-2022-32214

https://www.suse.com/security/cve/CVE-2022-32215

https://www.suse.com/security/cve/CVE-2022-35255

https://www.suse.com/security/cve/CVE-2022-35256

https://www.suse.com/security/cve/CVE-2022-43548

http://www.nessus.org/u?d652e560

Plugin Details

Severity: Critical

ID: 171492

File Name: suse_SU-2023-0408-1.nasl

Version: 1.4

Type: Local

Agent: unix

Published: 2/15/2023

Updated: 6/26/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 4.9

Percentile: 57.58

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:N

CVSS Score Source: CVE-2022-35255

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 8.2

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:12, p-cpe:/a:novell:suse_linux:nodejs18, p-cpe:/a:novell:suse_linux:nodejs18-devel, p-cpe:/a:novell:suse_linux:nodejs18-docs, p-cpe:/a:novell:suse_linux:npm18

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/14/2023

Vulnerability Publication Date: 7/7/2022

Reference Information

CVE: CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-35255, CVE-2022-35256, CVE-2022-43548

SuSE: SUSE-SU-2023:0408-1