nodejs:20 security update
エラータID: AXSA:2024-7668:01
リリース日:
2024/04/11 Thursday - 17:18
題名:
nodejs:20 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の権限モデル機能には、ファイルパス中のワイルド
カード表記 (*) 以降の文字が評価されない問題があるため、
ローカルの攻撃者により、意図しないファイルへの不正な
アクセス、およびサービス拒否攻撃を可能とする脆弱性が
存在します。(CVE-2024-21890)
- Node.js には、node:fs モジュール向けに提供されている
ファイルパスの正規化を目的とした内蔵ユーティリティー
関数をユーザー定義の関数によってオーバーライドできて
しまう問題があるため、ローカルの攻撃者により、細工
されたユーザー定義の関数の実装を介して、権限モデル機能
の迂回を可能とする脆弱性が存在します。(CVE-2024-21891)
- Node.js には、特定の機能を利用のうえ、対象のプロセスを
特権に昇格して実行する際、本来評価すべき特権を持たない
利用者によって設定された環境変数を無視してしまう問題が
あるため、ローカルの攻撃者により、特権で実行できる任意
のコードの挿入を可能とする脆弱性が存在します。
(CVE-2024-21892)
- Node.js の権限モデル機能には、path.resolve() 関数の結果
を改竄できてしまう問題があるため、ローカルの攻撃者に
より、Buffer.prototype.utf8Write() 関数への細工されたモンキー
パッチの適用を介して、パストラバーサル攻撃を可能とする
脆弱性が存在します。(CVE-2024-21896)
- Node.js には、setuid(2) システムコールを実行する前に初期化
された場合の動作に問題があるため、ローカルの攻撃者により、
特権昇格を可能とする脆弱性が存在します。(CVE-2024-22017)
- Node.js の HTTP サーバー機能には、チャンク拡張データ
サイズを制限する処理が欠落しており、単一のコネクション
から制限なくデータを読み取ってしまう問題があるため、
リモートの攻撃者により、巧妙に細工された HTTP リクエスト
の送信を介して、サービス拒否攻撃 (CPU リソースおよび
ネットワーク帯域の枯渇) を可能とする脆弱性が存在します。
(CVE-2024-22019)
現時点では下記の CVE の情報が公開されておりません。
CVE の情報が公開され次第情報をアップデートいたします。
CVE-2023-46809
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2023-46809
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
** RESERVED ** This candidate has been reserved by an organization or individual that will use it when announcing a new security problem. When the candidate has been publicized, the details for this candidate will be provided.
CVE-2024-21890
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The Node.js Permission Model does not clarify in the documentation that wildcards should be only used as the last character of a file path. For example: ``` --allow-fs-read=/home/node/.ssh/*.pub ``` will ignore `pub` and give access to everything after `.ssh/`. This misleading documentation affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21891
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
Node.js depends on multiple built-in utility functions to normalize paths provided to node:fs functions, which can be overwitten with user-defined implementations leading to filesystem permission model bypass through path traversal attack. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-21892
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
On Linux, Node.js ignores certain environment variables if those may have been set by an unprivileged user while the process is running with elevated privileges with the only exception of CAP_NET_BIND_SERVICE. Due to a bug in the implementation of this exception, Node.js incorrectly applies this exception even when certain other capabilities have been set. This allows unprivileged users to inject code that inherits the process's elevated privileges.
CVE-2024-21896
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
The permission model protects itself against path traversal attacks by calling path.resolve() on any paths given by the user. If the path is to be treated as a Buffer, the implementation uses Buffer.from() to obtain a Buffer from the result of path.resolve(). By monkey-patching Buffer internals, namely, Buffer.prototype.utf8Write, the application can modify the result of path.resolve(), which leads to a path traversal vulnerability. This vulnerability affects all users using the experimental permission model in Node.js 20 and Node.js 21. Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.
CVE-2024-22017
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
setuid() does not affect libuv's internal io_uring operations if initialized before the call to setuid(). This allows the process to perform privileged operations despite presumably having dropped such privileges through a call to setuid(). This vulnerability affects all users using version greater or equal than Node.js 18.18.0, Node.js 20.4.0 and Node.js 21.
CVE-2024-22019
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
A vulnerability in Node.js HTTP servers allows an attacker to send a specially crafted HTTP request with chunked encoding, leading to resource exhaustion and denial of service (DoS). The server reads an unbounded number of bytes from a single connection, exploiting the lack of limitations on chunk extension bytes. The issue can cause CPU and network bandwidth exhaustion, bypassing standard safeguards like timeouts and body size limits.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1739+20253e11.src.rpm
MD5: 01171975cffb46b60b318c6dbc4e9827
SHA-256: f6d0b9f819b0d5a3e1b7e634adf6504f42a4cade4431229ea3d5be725d10735f
Size: 339.85 kB - nodejs-packaging-2021.06-4.module+el8+1739+20253e11.src.rpm
MD5: acad2102403a3b415f2b6d36c3cd36c0
SHA-256: c387758248bf6b34c1d9d2382fe36f6fbe0682965bb159f24cbb9f0e7e2881e9
Size: 30.29 kB - nodejs-20.11.1-1.module+el8+1739+20253e11.src.rpm
MD5: 9e92009528b22e3d5ff6c7de507b0946
SHA-256: a54615bc1dc81d3c975a734118d11197a0a6dd034e6403df30dcf0dea39a7855
Size: 82.58 MB
Asianux Server 8 for x86_64
- nodejs-20.11.1-1.module+el8+1739+20253e11.x86_64.rpm
MD5: c58a802e3832bd18382dda58c0a31f25
SHA-256: 9b253a71035b5945caa9add50205c3a77850a4bdf5e31f050b7945d4bfcad1cd
Size: 13.99 MB - nodejs-debugsource-20.11.1-1.module+el8+1739+20253e11.x86_64.rpm
MD5: 20caf987126d2333d027b0a993274b23
SHA-256: f998c3689e169b2647d15a9df986764aafe52a00988ccde8116e33bd5f01c8ac
Size: 11.27 MB - nodejs-devel-20.11.1-1.module+el8+1739+20253e11.x86_64.rpm
MD5: b7039bb9cd934937d794990932d2aeb6
SHA-256: cc938ce6e69e819898db758ca10e29ae46c89e299f38cd26f2a01637cd210f1d
Size: 260.08 kB - nodejs-docs-20.11.1-1.module+el8+1739+20253e11.noarch.rpm
MD5: 9291d983b789c97821ee346cc847e0e8
SHA-256: cb6093ff3987afad8652bb8f4746e5b8e528833936704c582d0a0a08b7912f88
Size: 10.45 MB - nodejs-full-i18n-20.11.1-1.module+el8+1739+20253e11.x86_64.rpm
MD5: 34f52e22a2c38871badf89090f583ed0
SHA-256: 873cef982f20f4f89389dc143a69a64583a08328a1171a9eba9d958152273da2
Size: 8.25 MB - nodejs-nodemon-3.0.1-1.module+el8+1739+20253e11.noarch.rpm
MD5: cf23a1a77fbcb07ff14449fe566938fb
SHA-256: edd01d431ab5dcedfbe918a4f8935f42264361d41a1205416838ef1c265752d1
Size: 281.66 kB - nodejs-packaging-2021.06-4.module+el8+1739+20253e11.noarch.rpm
MD5: f18b887720b2ae5f7da7cbaa198be0de
SHA-256: 404068a88113e669b259a44f6d760fb439e6bfb42c6af8613469fb3f44e386a3
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1739+20253e11.noarch.rpm
MD5: 63e046ec2d5ed3010584dfdbd1f78907
SHA-256: 39cea90589720b92b29380cd376d6085201a959db1ce0ffa237e473307a72f0d
Size: 13.76 kB - npm-10.2.4-1.20.11.1.1.module+el8+1739+20253e11.x86_64.rpm
MD5: 81b3dc11835c77a4fefa0183d7e1c081
SHA-256: 89a82a05f02d4694e6d2c8b072ef05fe0e665637f4739c299a9442214940065c
Size: 2.12 MB
English