Debian DLA-3137-1 : nodejs - LTS security update

critical Nessus Plugin ID 165709

Synopsis

The remote Debian host is missing one or more security-related updates.

Description

The remote Debian 10 host has packages installed that are affected by multiple vulnerabilities as referenced in the dla-3137 advisory.

- Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. (CVE-2021-22930)

- If the Node.js https API was used incorrectly and undefined was in passed for the rejectUnauthorized parameter, no error was returned and connections to servers with an expired certificate would have been accepted. (CVE-2021-22939)

- Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior. (CVE-2021-22940)

- Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be __proto__. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. (CVE-2022-21824)

- A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade the nodejs packages.

For Debian 10 buster, these problems have been fixed in version 10.24.0~dfsg-1~deb10u2.

See Also

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1004177

https://security-tracker.debian.org/tracker/source-package/nodejs

https://www.debian.org/lts/security/2022/dla-3137

https://security-tracker.debian.org/tracker/CVE-2021-22930

https://security-tracker.debian.org/tracker/CVE-2021-22939

https://security-tracker.debian.org/tracker/CVE-2021-22940

https://security-tracker.debian.org/tracker/CVE-2022-21824

https://security-tracker.debian.org/tracker/CVE-2022-32212

https://packages.debian.org/source/buster/nodejs

Plugin Details

Severity: Critical

ID: 165709

File Name: debian_DLA-3137.nasl

Version: 1.3

Type: local

Agent: unix

Published: 10/5/2022

Updated: 10/10/2023

Supported Sensors: Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-22930

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:debian:debian_linux:libnode64, cpe:/o:debian:debian_linux:10.0, p-cpe:/a:debian:debian_linux:nodejs-doc, p-cpe:/a:debian:debian_linux:libnode-dev, p-cpe:/a:debian:debian_linux:nodejs

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 10/5/2022

Vulnerability Publication Date: 8/11/2021

Reference Information

CVE: CVE-2021-22930, CVE-2021-22939, CVE-2021-22940, CVE-2022-21824, CVE-2022-32212