nodejs:20 security update
エラータID: AXSA:2024-7667:01
リリース日:
2024/04/11 Thursday - 16:48
題名:
nodejs:20 security update
影響のあるチャネル:
MIRACLE LINUX 9 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の権限モデル機能には、ファイルパス中のワイルド
カード表記 (*) 以降の文字が評価されない問題があるため、
ローカルの攻撃者により、意図しないファイルへの不正な
アクセス、およびサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2024-21890)
- Node.js には、node:fs モジュール向けに提供されている
ファイルパスの正規化を目的とした内蔵ユーティリティー
関数をユーザー定義の関数によってオーバーライドできて
しまう問題があるため、ローカルの攻撃者により、細工
されたユーザー定義の関数の実装を介して、権限モデル機能
の迂回を可能とする脆弱性が存在します。(CVE-2024-21891)
- Node.js には、特定の機能を利用のうえ、対象のプロセスを
特権に昇格して実行する際、本来評価すべき特権を持たない
利用者によって設定された環境変数を無視してしまう問題が
あるため、ローカルの攻撃者により、特権で実行できる任意
のコードの挿入を可能とする脆弱性が存在します。
(CVE-2024-21892)
- Node.js の権限モデル機能には、path.resolve() 関数の結果
を改竄できてしまう問題があるため、ローカルの攻撃者に
より、Buffer.prototype.utf8Write() 関数への細工されたモンキー
パッチの適用を介して、パストラバーサル攻撃を可能とする
脆弱性が存在します。(CVE-2024-21896)
- Node.js には、setuid(2) システムコールを実行する前に初期化
された場合の動作に問題があるため、ローカルの攻撃者により、
特権昇格を可能とする脆弱性が存在します。(CVE-2024-22017)
- Node.js の HTTP サーバー機能には、チャンク拡張データ
サイズを制限する処理が欠落しており、単一のコネクション
から制限なくデータを読み取ってしまう問題があるため、
リモートの攻撃者により、巧妙に細工された HTTP リクエスト
の送信を介して、サービス拒否攻撃 (CPU リソースおよび
ネットワーク帯域の枯渇) を可能とする脆弱性が存在します。
(CVE-2024-22019)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-46809
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-46809
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2024-21896
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-22017
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el9+1032+2597cc56.src.rpm
MD5: 02b312766f2f4a550b4b2f97a4091323
SHA-256: eaf7e4dfe7a992efbd9bba844262b021eb0904ed2866e65ccfdfd097c53ab6e9
Size: 339.27 kB - nodejs-packaging-2021.06-4.module+el9+1032+2597cc56.src.rpm
MD5: 068f85944c0063ca5930e6fdf7f1df0b
SHA-256: e431f76bc66306d9bddd918aa67b29d9134ef17e1d615320c84085fa24392088
Size: 26.54 kB - nodejs-20.11.1-1.module+el9+1032+2597cc56.src.rpm
MD5: 31ae12a0840e7b07564cf2f5ab8ace49
SHA-256: d6a07c8fe03e1e38bf3077f71d728beaef1e25bddaf1d8f2332cf04cf6a162a4
Size: 125.44 MB
Asianux Server 9 for x86_64
- nodejs-20.11.1-1.module+el9+1032+2597cc56.x86_64.rpm
MD5: a40e1830c268aabee438dbdd4cd80823
SHA-256: 8cce505112b2564484ea313f870cb2b2ec61ece170d86ce251bbff22c1dbdf16
Size: 13.65 MB - nodejs-debugsource-20.11.1-1.module+el9+1032+2597cc56.x86_64.rpm
MD5: 749176cd16f35d5356c0cbb452531b7f
SHA-256: 7ec582738be0bb52b9053101a08b49c1d0d5b7276b95a17ce51ad18e573c64b9
Size: 11.42 MB - nodejs-devel-20.11.1-1.module+el9+1032+2597cc56.x86_64.rpm
MD5: 1bde7b80e53ecb264afc5a218ffe55db
SHA-256: 2a15ce27c05d51f5019a2c730ed8de0d72c3b885a52989e57b9ff1d23b19f886
Size: 230.82 kB - nodejs-docs-20.11.1-1.module+el9+1032+2597cc56.noarch.rpm
MD5: 997bfd8d558e8c34bd702aba42bbb084
SHA-256: 6aea08954c60006d6c0d40c70c4182f045bffde29c423060b95b18b4b3b08050
Size: 8.00 MB - nodejs-full-i18n-20.11.1-1.module+el9+1032+2597cc56.x86_64.rpm
MD5: ac68a01973548f0e5edcfb3f29681b9f
SHA-256: 71062aaf33d8c8f42a218adb85bfd86ad786baa2d349e78fe74fbea7d74f030e
Size: 8.52 MB - nodejs-nodemon-3.0.1-1.module+el9+1032+2597cc56.noarch.rpm
MD5: 415c098f7ff5e05d569c89d465c469ec
SHA-256: 2ea30c430db6f2f5972b02bc3d70051c25c1cefe26ed9376996f50aa635023c6
Size: 268.41 kB - nodejs-packaging-2021.06-4.module+el9+1032+2597cc56.noarch.rpm
MD5: d5df98b987e63617a4c750937b102b22
SHA-256: 8c59d528763c703e79ed004d9849d3b3409f46cfa6e3eaccab6d40c655377ba5
Size: 19.92 kB - nodejs-packaging-bundler-2021.06-4.module+el9+1032+2597cc56.noarch.rpm
MD5: 12b0c950c76c1a5c31d74ac0aff9057c
SHA-256: 7cb3518c65330fdefab036f20419161fac5e20ed12b8e4f4e120c23343fafd79
Size: 9.76 kB - npm-10.2.4-1.20.11.1.1.module+el9+1032+2597cc56.x86_64.rpm
MD5: 8ec697f9893205f31d2eb900b02658fb
SHA-256: 483b6c2bf2f1c39c9c87792f0eb4a824ee7aa6dfc1a16ed1b1b9eb77c8e7da18
Size: 1.94 MB
English