RHEL 8 : nodejs:14 (RHSA-2023:1533)

critical Nessus Plugin ID 173777

Synopsis

The remote Red Hat host is missing one or more security updates.

Description

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2023:1533 advisory.

- The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. (CVE-2021-35065)

- Minimist <=1.2.5 is vulnerable to Prototype Pollution via file index.js, function setKey() (lines 69-95).
(CVE-2021-44906)

- qs before 6.10.3, as used in Express before 4.17.3 and other products, allows attackers to cause a Node process hang for an Express application because an __ proto__ key can be used. In many typical Express use cases, an unauthenticated remote attacker can place the attack payload in the query string of the URL that is used to visit the application, such as a[__proto__]=b&a[__proto__]&a[length]=100000000. The fix was backported to qs 6.9.7, 6.8.3, 6.7.3, 6.6.1, 6.5.3, 6.4.1, 6.3.3, and 6.2.4 (and therefore Express 4.17.3, which has deps: [email protected] in its release description, is not vulnerable). (CVE-2022-24999)

- This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. (CVE-2022-25881)

- A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service. (CVE-2022-3517)

- The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling. (CVE-2022-35256)

- decode-uri-component 0.2.0 is vulnerable to Improper Input Validation resulting in DoS. (CVE-2022-38900)

- A OS Command Injection vulnerability exists in Node.js versions <14.21.1, <16.18.1, <18.12.1, <19.0.1 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.The fix for this issue in https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32212 was incomplete and this new CVE is to complete the fix. (CVE-2022-43548)

- A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

- A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

- An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
(CVE-2023-23920)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://access.redhat.com/security/cve/CVE-2021-35065

https://access.redhat.com/security/cve/CVE-2021-44906

https://access.redhat.com/security/cve/CVE-2022-3517

https://access.redhat.com/security/cve/CVE-2022-4904

https://access.redhat.com/security/cve/CVE-2022-24999

https://access.redhat.com/security/cve/CVE-2022-25881

https://access.redhat.com/security/cve/CVE-2022-35256

https://access.redhat.com/security/cve/CVE-2022-38900

https://access.redhat.com/security/cve/CVE-2022-43548

https://access.redhat.com/security/cve/CVE-2023-23918

https://access.redhat.com/security/cve/CVE-2023-23920

https://access.redhat.com/errata/RHSA-2023:1533

Plugin Details

Severity: Critical

ID: 173777

File Name: redhat-RHSA-2023-1533.nasl

Version: 1.2

Type: local

Agent: unix

Published: 4/2/2023

Updated: 5/24/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-44906

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:redhat:rhel_aus:8.4, cpe:/o:redhat:rhel_e4s:8.4, cpe:/o:redhat:rhel_eus:8.4, cpe:/o:redhat:rhel_tus:8.4, p-cpe:/a:redhat:enterprise_linux:nodejs, p-cpe:/a:redhat:enterprise_linux:nodejs-devel, p-cpe:/a:redhat:enterprise_linux:nodejs-docs, p-cpe:/a:redhat:enterprise_linux:nodejs-full-i18n, p-cpe:/a:redhat:enterprise_linux:nodejs-nodemon, p-cpe:/a:redhat:enterprise_linux:nodejs-packaging, p-cpe:/a:redhat:enterprise_linux:npm

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 3/30/2023

Vulnerability Publication Date: 3/17/2022

Reference Information

CVE: CVE-2021-35065, CVE-2021-44906, CVE-2022-24999, CVE-2022-25881, CVE-2022-3517, CVE-2022-35256, CVE-2022-38900, CVE-2022-43548, CVE-2022-4904, CVE-2023-23918, CVE-2023-23920

CWE: 119, 1321, 1333, 20, 350, 400, 426, 444, 863

RHSA: 2023:1533