nodejs:10 security update
エラータID: AXSA:2021-1558:01
リリース日:
2021/03/07 Sunday - 00:45
題名:
nodejs:10 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js には 'unknownProtocol' での接続の扱いに問題があり、ファイルディスクリプタを
適切に解放しないため、ファイルディスクリプタ上限が設定されている場合は
ファイルディスクリプタが枯渇して新しい接続を受け付けられない、もしくはファイルを
開けなくなる現象が発生し、ファイルディスクリプタ上限が設定されていない場合は
メモリの枯渇を引き起こすサービス妨害(DoS)の脆弱性があります。(CVE-2021-22883)
- Node.js はホワイトリストに "localhost6" を含んでおり、攻撃者が被害者の
DNS サーバーを制御しているか、もしくは DNS レスポンスをスプーフィングできる場合、
"localhost6" ドメインを使って DNS リバインディング保護機構をバイパスできるため、
攻撃者が"localhost6"ドメインを使用している限り、CVE-2018-7160に記載されている攻撃を
行うことのできる脆弱性があります。(CVE-2021-22884)
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-22883
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to a denial of service attack when too many connection attempts with an 'unknownProtocol' are established. This leads to a leak of file descriptors. If a file descriptor limit is configured on the system, then the server is unable to accept new connections and prevent the process also from opening, e.g. a file. If no file descriptor limit is configured, then this lead to an excessive memory usage and cause the system to run out of memory.
CVE-2021-22884
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
Node.js before 10.24.0, 12.21.0, 14.16.0, and 15.10.0 is vulnerable to DNS rebinding attacks as the whitelist includes “localhost6”. When “localhost6” is not present in /etc/hosts, it is just an ordinary domain that is resolved via DNS, i.e., over network. If the attacker controls the victim's DNS server or can spoof its responses, the DNS rebinding protection can be bypassed by using the “localhost6” domain. As long as the attacker uses the “localhost6” domain, they can still apply the attack described in CVE-2018-7160.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-1.18.3-1.module+el8+1212+8a4373da.src.rpm
MD5: 4d70849b45c9c41bbcb96cbffc4d5ac4
SHA-256: 391cb10666cd38e4a66fba3c6d792218f506268e517b0c0b9e26f87a62402d31
Size: 1.35 MB - nodejs-packaging-17-3.module+el8+1212+8a4373da.src.rpm
MD5: 0aef6098a56e26d4e054b394455ae9a8
SHA-256: 7781f703482072db1ca35c7f11d8fdf35253ce8cec9e93b1e0cab9436fa50685
Size: 20.66 kB - nodejs-10.24.0-1.module+el8+1212+8a4373da.src.rpm
MD5: 866776fe9d51cd8b4e11f14c83e2d832
SHA-256: 76dfd18a1d36620a55a8e891afee8372245a67bbbd1489a116a29350a0204106
Size: 50.13 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-1.18.3-1.module+el8+1212+8a4373da.noarch.rpm
MD5: 7fd3e1182440efcdaa4a06f20e290113
SHA-256: 632d7bcb431317a51012f777097cfcbdfa1c9c132152babd1fec64756147a511
Size: 963.33 kB - nodejs-packaging-17-3.module+el8+1212+8a4373da.noarch.rpm
MD5: 0f338e33048520f2f6eaf7a74d1dd8b6
SHA-256: 944e3e31e0fc3e5ae7a70ee2d7bb30fd43e3da535fa51af500f43cf352133ae9
Size: 18.43 kB - nodejs-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
MD5: df730047b53a5130f79a99e896863e49
SHA-256: 67d1514d2c2b5dcec6066797164298989f4f6c712099a574f28343e0ee6d3f04
Size: 8.85 MB - nodejs-debugsource-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
MD5: 69b5ef23f458c02762e52ef62f9d5179
SHA-256: a9bc439c4f6876be7700228a636641fc002155d4d5aaebe804c16dcb393d76d8
Size: 9.70 MB - nodejs-devel-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
MD5: e52733c8efeebcf9e3e8b75c6b9874b2
SHA-256: 2e0fe5a7393aae25d19c552cdd64a36c03e6335ccf3f4692180a43e62e8dc0ed
Size: 162.83 kB - nodejs-docs-10.24.0-1.module+el8+1212+8a4373da.noarch.rpm
MD5: 1687b740de98f857c6b71fcf23206d68
SHA-256: c5714916c0582d32a7c8296240a72d709e5190a508227c89f2992b4ad2282f95
Size: 3.36 MB - nodejs-full-i18n-10.24.0-1.module+el8+1212+8a4373da.x86_64.rpm
MD5: dec6b9f215568f105656476c525d04ee
SHA-256: a686fbf757a2ee449ed460b4acf779d6d97440180071cd1dde20d15fefb4f76b
Size: 7.29 MB - npm-6.14.11-1.10.24.0.1.module+el8+1212+8a4373da.x86_64.rpm
MD5: b13153f8ac89e2268b1cd5d78b9e329b
SHA-256: f5e1394f1a0575d2df8288495722d1fc413f22e144e554434e197d5a737a296e
Size: 3.67 MB