nodejs:14 security update
エラータID: AXSA:2022-4368:01
リリース日:
2022/12/09 Friday - 09:20
題名:
nodejs:14 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
Moderate
Description:
以下項目について対処しました。
[Security Fix]
- nodejs には、名前が制約された中間証明書をバイパス
してしまう問題があるため、リモートの攻撃者により、
不正な証明書の検証を可能とする脆弱性が存在します。
(CVE-2021-44531)
- nodejs には、サブジェクト代替名の文字列表現形式に
インジェクションをもたらす問題があるため、リモートの
攻撃者により、巧妙に細工されたサブジェクト代替名を持つ
証明書を介して、不正な証明書の検証を可能とする脆弱性が
存在します。(CVE-2021-44532)
- nodejs には、多値の相対識別名を正しく扱えない問題が
あるため、リモートの攻撃者により、巧妙に細工された
サブジェクトを持つ証明書を介して、不正な証明書の検証を
可能とする脆弱性が存在します。(CVE-2021-44533)
- nodejs の console.table() には、書式設定ロジックに
問題があるため、プロトタイプ汚染攻撃を可能とする
脆弱性が存在します。(CVE-2022-21824)
- nodejs の HTTP モジュールの llhttp パーサーには、CR/LF
で終了していない HTTP ヘッダフィールドを適切に処理して
いない問題があるため、リモートの攻撃者により、巧妙に
細工した HTTP リクエストを介して、HTTP リクエスト
スマグリング攻撃を可能とする脆弱性が存在します。
(CVE-2022-35256)
Modularity name: nodejs
Stream name: 14
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2021-44531
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.
CVE-2021-44532
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.
CVE-2021-44533
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
CVE-2022-21824
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
Due to the formatting logic of the "console.table()" function it was not safe to allow user controlled input to be passed to the "properties" parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be "__proto__". The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to.
CVE-2022-35256
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
The llhttp parser in the http module in Node v18.7.0 does not correctly handle header fields that are not terminated with CLRF. This may result in HTTP Request Smuggling.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.19-2.module+el8+1546+322ad5a3.src.rpm
MD5: 1db38adf3297e94aa77691349ca550d5
SHA-256: 2b709c0970c06e5a661a1afd52694cd55e856347a4a53e1e6fe3d57cbc6822e6
Size: 394.65 kB - nodejs-packaging-23-3.module+el8+1546+322ad5a3.src.rpm
MD5: a51c316b0f0d2e071f95d03b6bd1cfa2
SHA-256: 5172890d7a9f6ecd81314eab1b0a1bec1067befe04e6d18b281aa94a104649ef
Size: 26.54 kB - nodejs-14.20.1-2.module+el8+1546+322ad5a3.src.rpm
MD5: b5906fa504b31946b3c11b778cf3de01
SHA-256: a4119dc8bef3c9f98c6ba2d631f550995ad8faa3c85c77dfb568b22bd0036a47
Size: 67.24 MB
Asianux Server 8 for x86_64
- nodejs-nodemon-2.0.19-2.module+el8+1546+322ad5a3.noarch.rpm
MD5: 59ad1c741875609e9bc56f7cae69349d
SHA-256: 8ad7323412af82e1ad2baecf1b8a02b1db7578a096bd942922781b505fc1c1b8
Size: 271.46 kB - nodejs-packaging-23-3.module+el8+1546+322ad5a3.noarch.rpm
MD5: 74fe23410bd720bceab78b9cba743902
SHA-256: ef36987e5a02f0cda49f036bcfab25ba844faae0fe4c82a67779df8aab628d75
Size: 22.98 kB - nodejs-14.20.1-2.module+el8+1546+322ad5a3.x86_64.rpm
MD5: a38bbdf3c50f211f405e281b2872605c
SHA-256: a122073f04ae9e65dd9ebd71edeb41148ac4cbcdf771f77bd450b44d00ee7cac
Size: 10.85 MB - nodejs-debugsource-14.20.1-2.module+el8+1546+322ad5a3.x86_64.rpm
MD5: 05315fb08ca7535c8789fe7149c9bdac
SHA-256: cc6297ca24e7379a59399686d2cbc9ef14ac4f1719d497dd0f6aea41d8fef3b8
Size: 11.06 MB - nodejs-devel-14.20.1-2.module+el8+1546+322ad5a3.x86_64.rpm
MD5: 6e451139cc6ecb78d896c274960daed4
SHA-256: 5c51181875a0dcea7aacb2977fc22f093964541383ba28de771086292d793ad9
Size: 204.75 kB - nodejs-docs-14.20.1-2.module+el8+1546+322ad5a3.noarch.rpm
MD5: e42447be65d653e70b56895d5ff35edc
SHA-256: 5cb91d6bacc9f94a60cc81d6a101656c27ae0ff6c72bcd75a9fbd991306563de
Size: 8.37 MB - nodejs-full-i18n-14.20.1-2.module+el8+1546+322ad5a3.x86_64.rpm
MD5: c24f4633e6606434ac01e6bebf3398d5
SHA-256: 41fba97d6d9645d4e2d077db6a6d9f6235e075842f45dd9849d3ee816da70411
Size: 7.85 MB - npm-6.14.17-1.14.20.1.2.module+el8+1546+322ad5a3.x86_64.rpm
MD5: 982fc349616e81c4a76b96885dfc8fa7
SHA-256: 65338cc19b41a7e4c8c67b9b21373fc9c9dccc592d3bfc84b0517e65cd01cd13
Size: 3.66 MB
English