Detections
Analytics

Alibaba Cloud Linux 3 : 0022: nodejs:14 (ALINUX3-SA-2021:0022)

high Nessus Plugin ID 236681

Synopsis

The remote Alibaba Cloud Linux host is missing one or more security updates.

Description

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2021:0022 advisory.

 Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities:

 CVE-2020-10531:
 An issue was discovered in International Components for Unicode (ICU) for C/C++ through 66.1. An integer overflow, leading to a heap-based buffer overflow, exists in the UnicodeString::doAppend() function in common/unistr.cpp.

 CVE-2021-22883:
 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.

 CVE-2021-22884:
 Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes localhost6. When localhost6 is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the localhost6 domain. As long as the attacker uses the localhost6 domain, they can still apply the attack described in CVE-2018-7160.

Tenable has extracted the preceding description block directly from the Alibaba Cloud Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

http://mirrors.aliyun.com/alinux/3/cve/alinux3-sa-20210022.xml

Plugin Details

Severity: High

ID: 236681

File Name: alinux3_sa_2021-0022.nasl

Version: 1.1

Type: local

Published: 5/14/2025

Updated: 5/14/2025

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5.3

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2020-10531

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:npm, cpe:/o:alibabacloud:alibaba_cloud_linux_3, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs-debuginfo, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs-docs, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs-devel, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs-debugsource, p-cpe:/a:alibabacloud:alibaba_cloud_linux_3:nodejs-full-i18n

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/Alibaba/release, Host/Alibaba/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 4/7/2021

Vulnerability Publication Date: 3/12/2020

Reference Information

CVE: CVE-2020-10531, CVE-2021-22883, CVE-2021-22884