nodejs:18 security update
エラータID: AXSA:2023-6227:01
リリース日:
2023/07/13 Thursday - 06:20
題名:
nodejs:18 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の c-ares パッケージの ares_set_sortlist 関数には、入力
文字列の妥当性を確認しない問題があるため、リモートの攻撃者に
より、細工された文字列の入力を介して、スタックオーバーフロー
の発生やサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2022-4904)
- c-ares には、CARES_RANDOM_FILE ビルドオプションを設定
していないことに起因して rand() 関数が使用されてしまう問題が
あるため、リモートの攻撃者により、内部で利用されている乱数
の予測を可能とする脆弱性が存在します。(CVE-2023-31124)
- c-ares の ares_inet_net_pton() 関数には、バッファアンダーフロー
の問題があるため、ローカルの攻撃者により、"0::00:00:00/2" など
の特定の IPv6 アドレスの入力を介して、クラッシュの発生とこれ
に起因するサービス拒否攻撃を可能とする脆弱性が存在します。
(CVE-2023-31130)
- c-ares には、/dev/urandom デバイスファイルもしくは
RtlGenRandom() 関数が利用できない場合、rand() 関数を用いて
生成した予測可能な乱数を DNS クエリ ID の生成に使用してしまう
問題があるため、リモートの攻撃者により、DNS 応答の偽装を可能
とする脆弱性が存在します。(CVE-2023-31147)
- c-ares には、誤ってソケットをシャットダウンしてしまう問題が
あるため、リモートの攻撃者により、データ長が 0 バイトとなる
ように細工された応答パケットを介して、サービス拒否攻撃を可能
とする脆弱性が存在します。(CVE-2023-32067)
Modularity name: nodejs
Stream name: 18
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2022-4904
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity.
CVE-2023-31124
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
c-ares is an asynchronous resolver library. When cross-compiling c-ares and using the autotools build system, CARES_RANDOM_FILE will not be set, as seen when cross compiling aarch64 android. This will downgrade to using rand() as a fallback which could allow an attacker to take advantage of the lack of entropy by not using a CSPRNG. This issue was patched in version 1.19.1.
CVE-2023-31130
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
c-ares is an asynchronous resolver library. ares_inet_net_pton() is vulnerable to a buffer underflow for certain ipv6 addresses, in particular "0::00:00:00/2" was found to cause an issue. C-ares only uses this function internally for configuration purposes which would require an administrator to configure such an address via ares_set_sortlist(). However, users may externally use ares_inet_net_pton() for other purposes and thus be vulnerable to more severe issues. This issue has been fixed in 1.19.1.
CVE-2023-31147
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
c-ares is an asynchronous resolver library. When /dev/urandom or RtlGenRandom() are unavailable, c-ares uses rand() to generate random numbers used for DNS query ids. This is not a CSPRNG, and it is also not seeded by srand() so will generate predictable output. Input from the random number generator is fed into a non-compilant RC4 implementation and may not be as strong as the original RC4 implementation. No attempt is made to look for modern OS-provided CSPRNGs like arc4random() that is widely available. This issue has been fixed in version 1.19.1.
CVE-2023-32067
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
c-ares is an asynchronous resolver library. c-ares is vulnerable to denial of service. If a target resolver sends a query, the attacker forges a malformed UDP packet with a length of 0 and returns them to the target resolver. The target resolver erroneously interprets the 0 length as a graceful shutdown of the connection. This issue has been patched in version 1.19.1.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-2.0.20-2.module+el8+1650+daaf1bbb.src.rpm
MD5: 72e039b7e155fde8e0ac25830b9e4b83
SHA-256: 6c045a86d5b9b8efc5f23640f2e3b7e4a2e744744521a9a90d442281fc95e19d
Size: 342.26 kB - nodejs-packaging-2021.06-4.module+el8+1650+daaf1bbb.src.rpm
MD5: ec52742a5a52759babfdbd650e315ff9
SHA-256: 9acfbc9ffdbd6ce4aa524151f91e13b099a74b40660a0c945e86589956e713d0
Size: 30.29 kB - nodejs-18.14.2-3.module+el8+1650+daaf1bbb.src.rpm
MD5: 62e6230543bdee74d4274cbc9e0f9e06
SHA-256: 7dbb8208e450607b6e6b5c77a79f23f82d2e34a578fb671db89eb6de5bb3947b
Size: 77.93 MB
Asianux Server 8 for x86_64
- nodejs-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
MD5: 0c2dfd1170d1266fa756ea06ae1f02a9
SHA-256: 46c513da900441853c27ec7b34060fa5bfab5d64cd0ce21272ffd0fc7e981883
Size: 13.40 MB - nodejs-debugsource-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
MD5: 85ed9dd764c622e7b49b9dff85334eea
SHA-256: 7d9d74b1def4a114ef7e0a3cee82e92f08028137dcd090779ae5387ce5a3070a
Size: 13.96 MB - nodejs-devel-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
MD5: a0ff8ff382805de5785654715ed0a649
SHA-256: 2ffa7f44ad61684bf0b85a1dbcce41e4c7afb6a11f3c2574dde680f33680635e
Size: 205.99 kB - nodejs-docs-18.14.2-3.module+el8+1650+daaf1bbb.noarch.rpm
MD5: 253155fef185d7f8e12936f1e0c5bf31
SHA-256: 8a963aa46d0ae547958e3d6959b94f3cb5e7b37a42ac139a057ae1e59d022fa7
Size: 9.78 MB - nodejs-full-i18n-18.14.2-3.module+el8+1650+daaf1bbb.x86_64.rpm
MD5: 744b4354569ec2daeb6f7fcfb70c63b1
SHA-256: 35bac27a985a8b89320d388afc8744bd1de89df81ed5377be1cc479f3619283c
Size: 8.18 MB - nodejs-nodemon-2.0.20-2.module+el8+1650+daaf1bbb.noarch.rpm
MD5: 889445f9b58c6e315d32885249f154c7
SHA-256: 633e8728a1af042e78a00c895fd3cb1eac7996c989d2a78f3ec1557cc5133206
Size: 274.24 kB - nodejs-packaging-2021.06-4.module+el8+1650+daaf1bbb.noarch.rpm
MD5: 9bf96a94cf670aca440742b506c33520
SHA-256: e947911ed6e4abb0a1f7763785684f4a2f955b6c74e3851fe85ca5824bd02d29
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1650+daaf1bbb.noarch.rpm
MD5: aea81c14438e1a7d1354604686cda191
SHA-256: a9fbe2bf43b67de4c084d45a414d75ba56d77cb334218087701008ef599975dc
Size: 13.76 kB - npm-9.5.0-1.18.14.2.3.module+el8+1650+daaf1bbb.x86_64.rpm
MD5: 29223229fc26a14968b90997d69f7422
SHA-256: 11b2cbec23bc0901253bd941b6a2e83b34eec20b11faa155fa4f430024b88d2d
Size: 2.20 MB
English