Amazon Linux 2022 : nodejs (ALAS2022-2022-214)

critical Nessus Plugin ID 168555

Synopsis

The remote Amazon Linux 2022 host is missing a security update.

Description

The version of nodejs installed on the remote host is prior to 18.4.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-214 advisory.

- The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

- The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

- The npm ci command in npm 7.x and 8.x through 8.1.3 proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation, and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. NOTE: The npm team believes this is not a vulnerability. It would require someone to socially engineer package.json which has different dependencies than package-lock.json. That user would have to have file system or write access to change dependencies.
The npm team states preventing malicious actors from socially engineering or gaining file system access is outside the scope of the npm CLI. (CVE-2021-43616)

- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

- Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'yum update nodejs' to update your system.

See Also

https://alas.aws.amazon.com/AL2022/ALAS-2022-214.html

https://alas.aws.amazon.com/cve/html/CVE-2021-22959.html

https://alas.aws.amazon.com/cve/html/CVE-2021-22960.html

https://alas.aws.amazon.com/cve/html/CVE-2021-43616.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44531.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44532.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44533.html

https://alas.aws.amazon.com/cve/html/CVE-2022-21824.html

Plugin Details

Severity: Critical

ID: 168555

File Name: al2022_ALAS2022-2022-214.nasl

Version: 1.4

Type: local

Agent: unix

Published: 12/9/2022

Updated: 12/11/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-43616

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:nodejs-full-i18n, p-cpe:/a:amazon:linux:nodejs-devel, p-cpe:/a:amazon:linux:nodejs, p-cpe:/a:amazon:linux:nodejs-debuginfo, cpe:/o:amazon:linux:2022, p-cpe:/a:amazon:linux:nodejs-libs-debuginfo, p-cpe:/a:amazon:linux:v8-devel, p-cpe:/a:amazon:linux:nodejs-docs, p-cpe:/a:amazon:linux:npm, p-cpe:/a:amazon:linux:nodejs-debugsource, p-cpe:/a:amazon:linux:nodejs-libs

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 12/6/2022

Vulnerability Publication Date: 10/12/2021

Reference Information

CVE: CVE-2021-22959, CVE-2021-22960, CVE-2021-43616, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2022-21824