Detections
Analytics

Amazon Linux 2023 : nodejs, nodejs-devel, nodejs-full-i18n (ALAS2023-2023-084)

critical Nessus Plugin ID 173113

Language:

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-084 advisory.

 An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. Spaces as part of the header names were accepted as valid. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity.
 (CVE-2021-22959)

 An HTTP Request Smuggling (HRS) vulnerability was found in the llhttp library, used by Node.JS. During the parsing of chunked messages, the chunk size parameter was not validated properly. In situations where HTTP conversations are being proxied (such as proxy, reverse-proxy, load-balancer), an attacker can use this flaw to inject arbitrary messages through the proxy. The highest threat from this vulnerability is to confidentiality and integrity. (CVE-2021-22960)

 A flaw was found in npm. The npm ci command proceeds with an installation even if dependency information in package-lock.json differs from package.json. This behavior is inconsistent with the documentation and makes it easier for attackers to install malware that was supposed to have been blocked by an exact version match requirement in package-lock.json. (CVE-2021-43616)

 A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531)

 It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host. (CVE-2021-44532)

 A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names.
 This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533)

 Prototype pollution via console.table properties (CVE-2022-21824)

 A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.16.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks. (CVE-2022-32212)

 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly parse and validate Transfer-Encoding headers and can lead to HTTP Request Smuggling (HRS). (CVE-2022-32213)

 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
 (CVE-2022-32214)

 The llhttp parser <v14.20.1, <v16.17.1 and <v18.9.1 in the http module in Node.js does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
 (CVE-2022-32215)

 A cryptographic vulnerability exists on Node.js on linux in versions of 18.x prior to 18.40.0 which allowed a default path for openssl.cnf that might be accessible under some circumstances to a non-admin user instead of /etc/ssl as was the case in versions prior to the upgrade to OpenSSL 3. (CVE-2022-32222)

 Node.js is vulnerable to Hijack Execution Flow: DLL Hijacking under certain conditions on Windows platforms.This vulnerability can be exploited if the victim has the following dependencies on a Windows machine:* OpenSSL has been installed and C:\Program Files\Common Files\SSL\openssl.cnf exists.Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory.After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability. (CVE-2022-32223)

 A vulnerability was found in NodeJS due to weak randomness in the WebCrypto keygen within the SecretKeyGenTraits::DoKeyGen() in src/crypto/crypto_keygen.cc. Node.js made calls to EntropySource() in SecretKeyGenTraits::DoKeyGen(). However, it does not check the return value and assumes the EntropySource() always succeeds, but it can and sometimes will fail. This flaw allows a remote attacker to decrypt sensitive information. (CVE-2022-35255)

 HTTP Request Smuggling Due to Incorrect Parsing of Header Fields (CVE-2022-35256)

 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occursafter certificate chain signature verification and requires either a CA to have signed the malicious certificate or for the application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address to overflow four attacker-controlled bytes on the stack. This buffer overflow could result in a crash (causing a denial of service) or potentially remote code execution.. (CVE-2022-3602)

 A buffer overrun can be triggered in X.509 certificate verification, specifically in name constraint checking. Note that this occurs after certificate chain signature verification and requires either a CA to have signed a malicious certificate or for an application to continue certificate verification despite failure to construct a path to a trusted issuer. An attacker can craft a malicious email address in a certificate to overflow an arbitrary number of bytes containing the . character (decimal 46) on the stack.
 This buffer overflow could result in a crash (causing a denial of service). (CVE-2022-3786)

 A flaw was found in NodeJS. The issue occurs in the Node.js rebinding protector for --inspect that still allows invalid IP addresses, specifically, the octal format. This flaw allows an attacker to perform DNS rebinding and execute arbitrary code. (CVE-2022-43548)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update nodejs --releasever=2023.0.20230222 ' to update your system.

See Also

https://alas.aws.amazon.com/AL2023/ALAS-2023-084.html

https://alas.aws.amazon.com/cve/html/CVE-2021-22959.html

https://alas.aws.amazon.com/cve/html/CVE-2021-22960.html

https://alas.aws.amazon.com/cve/html/CVE-2021-43616.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44531.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44532.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44533.html

https://alas.aws.amazon.com/cve/html/CVE-2022-21824.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32212.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32213.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32214.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32215.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32222.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32223.html

https://alas.aws.amazon.com/cve/html/CVE-2022-35255.html

https://alas.aws.amazon.com/cve/html/CVE-2022-35256.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3602.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3786.html

https://alas.aws.amazon.com/cve/html/CVE-2022-43548.html

https://alas.aws.amazon.com/faqs.html

Plugin Details

Severity: Critical

ID: 173113

File Name: al2023_ALAS2023-2023-084.nasl

Version: 1.3

Type: local

Agent: unix

Published: 3/21/2023

Updated: 12/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 7.5

Temporal Score: 5.9

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2021-43616

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:nodejs-full-i18n, p-cpe:/a:amazon:linux:nodejs-devel, p-cpe:/a:amazon:linux:nodejs, p-cpe:/a:amazon:linux:nodejs-debuginfo, p-cpe:/a:amazon:linux:nodejs-libs-debuginfo, p-cpe:/a:amazon:linux:v8-devel, p-cpe:/a:amazon:linux:nodejs-docs, p-cpe:/a:amazon:linux:npm, p-cpe:/a:amazon:linux:nodejs-debugsource, p-cpe:/a:amazon:linux:nodejs-libs, cpe:/o:amazon:linux:2023

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2023

Vulnerability Publication Date: 10/12/2021

Reference Information

CVE: CVE-2021-22959, CVE-2021-22960, CVE-2021-43616, CVE-2021-44531, CVE-2021-44532, CVE-2021-44533, CVE-2022-21824, CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222, CVE-2022-32223, CVE-2022-35255, CVE-2022-35256, CVE-2022-3602, CVE-2022-3786, CVE-2022-43548