nodejs:18 security update

エラータID: AXSA:2023-6526:01

Release date: 
Friday, October 20, 2023 - 12:57
Subject: 
nodejs:18 security update
Affected Channels: 
Asianux Server 8 for x86_64
Severity: 
High
Description: 

Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language.

Security Fix(es):

* HTTP/2: Multiple HTTP/2 enabled web servers are vulnerable to a DDoS attack (Rapid Reset Attack) (CVE-2023-44487)

A Asianux Security Bulletin which addresses further details about this flaw is available in the References section.

* nodejs: integrity checks according to policies can be circumvented (CVE-2023-38552)
* nodejs: code injection via WebAssembly export names (CVE-2023-39333)
* node-undici: cookie leakage (CVE-2023-45143)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
CVE-2023-39333
RESERVED
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.

Modularity name: "nodejs"
Stream name: "18"

Solution: 

Update packages.

CVEs: 
CVE-2023-38552
When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to the node's policy implementation, thus effectively disabling the integrity check. Impacts: This vulnerability affects all users using the experimental policy mechanism in all active release lines: 18.x and, 20.x. Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.
CVE-2023-39333
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2023-44487
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
CVE-2023-45143
Undici is an HTTP/1.1 client written from scratch for Node.js. Prior to version 5.26.2, Undici already cleared Authorization headers on cross-origin redirects, but did not clear `Cookie` headers. By design, `cookie` headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a third-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the third party site. This was patched in version 5.26.2. There are no known workarounds.
Additional Info: 

N/A

Download: 

SRPMS
  1. nodejs-nodemon-3.0.1-1.module+el8+1673+60462d86.src.rpm
    MD5: bbda7acc31f296e538e638829e7fbb76
    SHA-256: efaa2a0c24de0989995853c148a5ba422bdf2eca1a99aa38999276e5fb195fd2
    Size: 340.68 kB
  2. nodejs-packaging-2021.06-4.module+el8+1673+60462d86.src.rpm
    MD5: 6fd11a75fd12e3bde962f5fd14264eaf
    SHA-256: 5edabc794cde7f7dffb67038ca14fd3480862568883d1de91032459d1d0e0a2b
    Size: 30.29 kB
  3. nodejs-18.18.2-1.module+el8+1673+60462d86.src.rpm
    MD5: 51560f184b4a79eb765c1f894936b8da
    SHA-256: eaa994424e0b46a776c660653df1484de440fafd709f388402286675ad69f8f0
    Size: 122.96 MB

Asianux Server 8 for x86_64
  1. nodejs-18.18.2-1.module+el8+1673+60462d86.x86_64.rpm
    MD5: ef07db41ed05566170f49f9c9059c500
    SHA-256: 5cf877448a5d64ef5f71da9a69c58b7a68ab9ed7e6e4629e118dcb969bad5958
    Size: 13.44 MB
  2. nodejs-debugsource-18.18.2-1.module+el8+1673+60462d86.x86_64.rpm
    MD5: 1c4f3734b553932e5362193da6a59eb9
    SHA-256: 95d2350ec8b1ff0ef695e764f10394de44c325bb5b3da437781ca59b1f3e879d
    Size: 14.46 MB
  3. nodejs-devel-18.18.2-1.module+el8+1673+60462d86.x86_64.rpm
    MD5: 5f2167db42d94fb6d3c1ad5e3f630900
    SHA-256: 10c66323d3c0caa32a2fcb83982bdd9db1d822dd2c199ccc2f5a0927db0ea860
    Size: 207.03 kB
  4. nodejs-docs-18.18.2-1.module+el8+1673+60462d86.noarch.rpm
    MD5: 86f05700d4c338177ef79eb13764e09c
    SHA-256: 3b3892850fffa68ced1cf6f4d5cf6444b9d2ee7f81724bbcb219957695cda8be
    Size: 10.01 MB
  5. nodejs-full-i18n-18.18.2-1.module+el8+1673+60462d86.x86_64.rpm
    MD5: 5074e807ecb655a67de892c4cadf8696
    SHA-256: abcd5afea076e49f9a3a9f54ab2ade0f7a7cf186e3f810d408b3e49693d106c3
    Size: 8.25 MB
  6. nodejs-nodemon-3.0.1-1.module+el8+1673+60462d86.noarch.rpm
    MD5: 4ad9f483aa8d8180845991612a0eebd7
    SHA-256: b425242c1de53e97521de2501ac87dfb081100df952b23ff4905d4dd92019a47
    Size: 282.09 kB
  7. nodejs-packaging-2021.06-4.module+el8+1673+60462d86.noarch.rpm
    MD5: 5a10efa06a703de0567a4c5c775056b0
    SHA-256: 47911e13b32ee8419df26c0d5ff0b7bb7fdd1effdcacfb4f3e871d9380e96282
    Size: 24.14 kB
  8. nodejs-packaging-bundler-2021.06-4.module+el8+1673+60462d86.noarch.rpm
    MD5: 46928dfbebc8cf144484cd8bee5ed07d
    SHA-256: 25f333e554ece367219abb35f0f07b77549face627eccee1be84317e5a44ed9e
    Size: 13.76 kB
  9. npm-9.8.1-1.18.18.2.1.module+el8+1673+60462d86.x86_64.rpm
    MD5: b7b1be8f54768c65d0206081cfc4ba3d
    SHA-256: 6c97253a5ce6888da0763827dbbc1c8f26f9a29ceb80b576a3d3b4b0c63a2afa
    Size: 2.20 MB