nodejs:14 security and bug fix update
エラータID: AXSA:2021-2448:01
リリース日:
2021/09/29 Wednesday - 01:01
題名:
nodejs:14 security and bug fix update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の dns ライブラリにはドメインネームサーバーから返されるホスト名の入力検証が
欠けているため、ライブラリを使用しているアプリケーションにホスト名を誤表示したり、
インジェクションをもたらす問題があり、リモートコード実行、クロスサイトスクリプティング、
アプリケーションのクラッシュが発生する脆弱性があります。(CVE-2021-22931)
- Node.js の https API には、APIを不正確に使用して "rejectUnauthorized" パラメーター に
"undefined" を渡すとエラーが返されず、期限切れの証明書を持つサーバへの接続が
受け入れられてしまう脆弱性があります。(CVE-2021-22939)
- Node.js には解放後使用の問題があり、攻撃者がメモリー内のデータ領域を破壊し、
プロセスの動作を変化させてしまう脆弱性があります。(CVE-2021-22940)
- path-parse パッケージには、正規表現を表わす変数 splitDeviceRe、splitTailRe、
splitPathRe を介して、正規表現サービス拒否 (ReDoS) に陥る脆弱性があります。
(CVE-2021-23343)
- npm パッケージ の "tar" には、シンボリックリンクの保護が不十分な問題があり、
tarファイルの中に同名のディレクトリとシンボリックリンクが含まれている場合、
ディレクトリを作成した後にシンボリックリンクのチェックをバイパスしてディレクトリと
置き換えてしまうため、シンボリックリンク先に tar ファイルに含まれる任意のファイルが
作成/上書きされる脆弱性があります。(CVE-2021-32803)
- npm パッケージの "tar" には、絶対パスのサニタイズが不十分な問題があり、tar ファイルに
含まれる絶対パスの先頭の "/" しか取り除かないため、"////home/user/.bashrc" のような
パスがあると絶対パスが残ってしまい、任意のファイルを作成/上書きできる脆弱性があります。
なお、"entty.path" をサニタイズするカスタムの ”onentry” メソッドを作成するか、もしくは
絶対パスを消去する ”filter” メソッドを使うことで脆弱性を回避できます。(CVE-2021-32804)
現時点では CVE-2021-22930, CVE-2021-3672 の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
Modularity name: nodejs
Stream name: 14
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-22930
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2021-22931
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
Node.js before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to Remote Code Execution, XSS, Application crashes due to missing input validation of host names returned by Domain Name Servers in Node.js dns library which can lead to output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVE-2021-22939
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVE-2021-22940
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
Node.js before 16.6.1, 14.17.5, and 12.22.5 is vulnerable to a use after free attack where an attacker might be able to exploit the memory corruption, to change process behavior.
CVE-2021-23343
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
All versions of package path-parse are vulnerable to Regular Expression Denial of Service (ReDoS) via splitDeviceRe, splitTailRe, and splitPathRe regular expressions. ReDoS exhibits polynomial worst-case time complexity.
CVE-2021-32803
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
The npm package "tar" (aka node-tar) before versions 6.1.2, 5.0.7, 4.4.15, and 3.2.3 has an arbitrary File Creation/Overwrite vulnerability via insufficient symlink protection. `node-tar` aims to guarantee that any file whose location would be modified by a symbolic link is not extracted. This is, in part, achieved by ensuring that extracted directories are not symlinks. Additionally, in order to prevent unnecessary `stat` calls to determine whether a given path is a directory, paths are cached when directories are created. This logic was insufficient when extracting tar files that contained both a directory and a symlink with the same name as the directory. This order of operations resulted in the directory being created and added to the `node-tar` directory cache. When a directory is present in the directory cache, subsequent calls to mkdir for that directory are skipped. However, this is also where `node-tar` checks for symlinks occur. By first creating a directory, and then replacing that directory with a symlink, it was thus possible to bypass `node-tar` symlink checks on directories, essentially allowing an untrusted tar file to symlink into an arbitrary location and subsequently extracting arbitrary files into that location, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.3, 4.4.15, 5.0.7 and 6.1.2.
CVE-2021-32804
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
The npm package "tar" (aka node-tar) before versions 6.1.1, 5.0.6, 4.4.14, and 3.3.2 has a arbitrary File Creation/Overwrite vulnerability due to insufficient absolute path sanitization. node-tar aims to prevent extraction of absolute file paths by turning absolute paths into relative paths when the `preservePaths` flag is not set to `true`. This is achieved by stripping the absolute path root from any absolute file paths contained in a tar file. For example `/home/user/.bashrc` would turn into `home/user/.bashrc`. This logic was insufficient when file paths contained repeated path roots such as `////home/user/.bashrc`. `node-tar` would only strip a single path root from such paths. When given an absolute file path with repeating path roots, the resulting path (e.g. `///home/user/.bashrc`) would still resolve to an absolute path, thus allowing arbitrary file creation and overwrite. This issue was addressed in releases 3.2.2, 4.4.14, 5.0.6 and 6.1.1. Users may work around this vulnerability without upgrading by creating a custom `onentry` method which sanitizes the `entry.path` or a `filter` method which removes entries with absolute paths. See referenced GitHub Advisory for details. Be aware of CVE-2021-32803 which fixes a similar bug in later versions of tar.
CVE-2021-3672
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.3-1.module+el8+1308+aff2ba50.src.rpm
MD5: 4d71967f9dabac95e8366a5e966b1204
SHA-256: a0d5a3391d3deaadfb4be19429c1677e04807f9985e39f793ee866abec7e7c9d
Size: 1.15 MB - nodejs-packaging-23-3.module+el8+1308+aff2ba50.src.rpm
MD5: d9f5e227abf0e6eab6e2a1b3aa587e16
SHA-256: d289e1b764ba35fe48237763ef31378feb42eda6d9500faf00da9e89deeccb82
Size: 26.56 kB - nodejs-14.17.5-1.module+el8+1308+aff2ba50.src.rpm
MD5: f1c36e6d8ade143ae9d3eadf12cad6f5
SHA-256: 5d452c9f7ff2876068fc5d855175ecd4a1ca2bc452c52dcf135a9c1f88619112
Size: 66.15 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.3-1.module+el8+1308+aff2ba50.noarch.rpm
MD5: 3081021fd3ec549e51f51ea8516d0206
SHA-256: 29742dcacc8d8f3bb0311c26b21601f8dad679dde340c110a365b41aba32719a
Size: 807.00 kB - nodejs-packaging-23-3.module+el8+1308+aff2ba50.noarch.rpm
MD5: 956ad54ecfca79d2c94a30bb71e6242c
SHA-256: 0ff514a429141c6f417947a73dca127cce601b808d9438dd8caa3dacf11da9cc
Size: 22.99 kB - nodejs-14.17.5-1.module+el8+1308+aff2ba50.x86_64.rpm
MD5: 59146d4c5f461c302ef5ccb82d539135
SHA-256: 6030492466a070bdbbdbbc08cad5db7681364f815dc7e10468fc57a60df6a2a0
Size: 10.75 MB - nodejs-debugsource-14.17.5-1.module+el8+1308+aff2ba50.x86_64.rpm
MD5: 28f616eb942a97011f8f9891ca25093c
SHA-256: 4826d224ed2cf7d8c451793985bc218b90cd72974244bed41258fb14a0e266ae
Size: 10.95 MB - nodejs-devel-14.17.5-1.module+el8+1308+aff2ba50.x86_64.rpm
MD5: 4bdfdff0d873d923df90639f58b92a9b
SHA-256: b637c785565b4450c19caec4212281fcb79f7bf987d858c82bb69408fbe72b8e
Size: 201.58 kB - nodejs-docs-14.17.5-1.module+el8+1308+aff2ba50.noarch.rpm
MD5: 814c963b21c4f2f542a5acc5517edf2a
SHA-256: 036bb9c63855101ee026f9c215b4c5a468f18fddd8e1b8776984da2662c9d491
Size: 8.15 MB - nodejs-full-i18n-14.17.5-1.module+el8+1308+aff2ba50.x86_64.rpm
MD5: d07ea8bb56f0b278e6a2e318ae3e7b39
SHA-256: 1264036627eb080206b36d499fcb29c449645c64f48252d49036650b97c45eb1
Size: 7.61 MB - npm-6.14.14-1.14.17.5.1.module+el8+1308+aff2ba50.x86_64.rpm
MD5: b888f01fc0a1ad222f01cafa6af26f01
SHA-256: b3705ccf4f084bcabe48091f7664bb6d97e537fc3dadbf560314e9c62a3c3eec
Size: 3.67 MB
English