nodejs:20 security update
エラータID: AXSA:2024-7740:01
リリース日:
2024/05/10 Friday - 22:08
題名:
nodejs:20 security update
影響のあるチャネル:
Asianux Server 8 for x86_64
Severity:
High
Description:
以下項目について対処しました。
[Security Fix]
- Node.js の fetch() 関数には、リモートの攻撃者により、
細工された URL を介して、サービス拒否攻撃 (メモリ枯渇)
を可能とする脆弱性が存在します。(CVE-2024-22025)
- c-ares の ares__read_line() 関数には、バッファー領域
の範囲外読み取りの問題があるため、ローカルの攻撃者に
より、/etc/resolv.conf、/etc/nsswitch.conf、HOSTALIASES、
/etc/hosts ファイルなどの解析対象のファイルの行の冒頭に
NULL 文字が埋め込まれるように細工されたファイルの処理
を介して、サービス拒否攻撃 (クラッシュの発生) を可能と
する脆弱性が存在します。(CVE-2024-25629)
- Node.js の HTTP サーバー機能には、Content Length ヘッダー
の前に空白文字が含まれている場合の解析処理に問題がある
ため、リモートの攻撃者により、細工された HTTP リクエスト
を介して、HTTP リクエストスマグリング攻撃、およびクロス
サイトスクリプティング攻撃を可能とする脆弱性が存在します。
(CVE-2024-27982)
- Node.js の HTTP/2 プロトコルの実装には、単一ストリーム
内で送信可能な CONTINUATION フレームのサイズが制限されて
いない問題があるため、リモートの攻撃者により、細工された
HTTP/2 CONTINUATION フレームを含むパケットの送信を
介して、サービス拒否攻撃 (メモリ枯渇) を可能とする脆弱性
が存在します。(CVE-2024-27983)
- nghttp2 の HTTP/2 プロトコルスタックには、HPACK
コンテキストのストリームのリセット後も
HTTP/2 CONTINUATION フレームを読み取り続けてしまう問題
があるため、リモートの攻撃者により、細工されたパケットの
送信を介して、サービス拒否攻撃 (CPU リソースおよびメモリ
の枯渇) を可能とする脆弱性が存在します。(CVE-2024-28182)
Modularity name: nodejs
Stream name: 20
解決策:
パッケージをアップデートしてください。
CVE:
CVE-2024-22025
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
A vulnerability in Node.js has been identified, allowing for a Denial of Service (DoS) attack through resource exhaustion when using the fetch() function to retrieve content from an untrusted URL. The vulnerability stems from the fact that the fetch() function in Node.js always decodes Brotli, making it possible for an attacker to cause resource exhaustion when fetching content from an untrusted URL. An attacker controlling the URL passed into fetch() can exploit this vulnerability to exhaust memory, potentially leading to process termination, depending on the system configuration.
CVE-2024-25629
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
c-ares is a C library for asynchronous DNS requests. `ares__read_line()` is used to parse local configuration files such as `/etc/resolv.conf`, `/etc/nsswitch.conf`, the `HOSTALIASES` file, and if using a c-ares version prior to 1.27.0, the `/etc/hosts` file. If any of these configuration files has an embedded `NULL` character as the first character in a new line, it can lead to attempting to read memory prior to the start of the given buffer which may result in a crash. This issue is fixed in c-ares 1.27.0. No known workarounds exist.
CVE-2024-27982
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
The team has identified a critical vulnerability in the http server of the most recent version of Node, where malformed headers can lead to HTTP request smuggling. Specifically, if a space is placed before a content-length header, it is not interpreted correctly, enabling attackers to smuggle in a second request within the body of the first.
CVE-2024-27983
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
An attacker can make the Node.js HTTP/2 server completely unavailable by sending a small amount of HTTP/2 frames packets with a few HTTP/2 frames inside. It is possible to leave some data in nghttp2 memory after reset when headers with HTTP/2 CONTINUATION frame are sent to the server and then a TCP connection is abruptly closed by the client triggering the Http2Session destructor while header frames are still being processed (and stored in memory) causing a race condition.
CVE-2024-28182
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
nghttp2 is an implementation of the Hypertext Transfer Protocol version 2 in C. The nghttp2 library prior to version 1.61.0 keeps reading the unbounded number of HTTP/2 CONTINUATION frames even after a stream is reset to keep HPACK context in sync. This causes excessive CPU usage to decode HPACK stream. nghttp2 v1.61.0 mitigates this vulnerability by limiting the number of CONTINUATION frames it accepts per stream. There is no workaround for this vulnerability.
追加情報:
N/A
ダウンロード:
SRPMS
- nodejs-nodemon-3.0.1-1.module+el8+1750+6a160498.src.rpm
MD5: f8e39e805999631b22d9926a50b7fd22
SHA-256: 30ca9030970decf42bc74561f8fac168ee16ee8c5de4dca5096868c072d079f7
Size: 339.85 kB - nodejs-packaging-2021.06-4.module+el8+1750+6a160498.src.rpm
MD5: 6d61acba0e6dc26044f58f3290deeb58
SHA-256: 1aac1147aa7fd5d26d373259da21515a6510b5a4e8d0bab4ff19a433f1153613
Size: 30.29 kB - nodejs-20.12.2-2.module+el8+1750+6a160498.src.rpm
MD5: 890d2afa8c949307044f52a218a227d7
SHA-256: 262d230c23983ac3da3289a65d4991f74ccc5f905634b9f51ead50cdc8215cf0
Size: 81.38 MB
Asianux Server 8 for x86_64
- nodejs-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
MD5: 68502dc10e0c3c0b53a30343f2e9f0d6
SHA-256: 0d23b9288f1f0f1453762851b0e3a33e279c91ccdeefdb4d52a944f9b1798e4c
Size: 14.33 MB - nodejs-debugsource-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
MD5: 9f08f3840bd9dcadae0466b957a8a6c8
SHA-256: ddd2f73c927b5f7a2de8cfa63b6915310da69b363f7625c00b7346077bb69070
Size: 11.76 MB - nodejs-devel-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
MD5: 2164cceb8520008ebfc3daf131e339c1
SHA-256: a1ffff54d3679f5087ff04d3ca3bdda87cebdfc2e8631c1bd2b7e2f5a23cc95f
Size: 261.43 kB - nodejs-docs-20.12.2-2.module+el8+1750+6a160498.noarch.rpm
MD5: a06fded7f9d383c9fd49a4cc0f3ac0e3
SHA-256: 19c1a356473f249b5c7b5d43ce128231c0a0511491426c0097c7ff42ea4dc7e7
Size: 10.57 MB - nodejs-full-i18n-20.12.2-2.module+el8+1750+6a160498.x86_64.rpm
MD5: b827ac82874769371bc1f9f1f1c2aea3
SHA-256: ea73a89c86704cf3454068df14106df896dc4761374fa9e371dfd66e31f5baf2
Size: 8.17 MB - nodejs-nodemon-3.0.1-1.module+el8+1750+6a160498.noarch.rpm
MD5: c0b61e08a7637e48f89bc3c38fe88243
SHA-256: 61e973160c43e7094108943fb641b4ed4153e144f94c60810061d42bfcb81dcf
Size: 281.66 kB - nodejs-packaging-2021.06-4.module+el8+1750+6a160498.noarch.rpm
MD5: 6211c5a4da0108c767d436e87cb0759f
SHA-256: 295b2069ad590dd9236881f456b1e1482dae28a809a8bf2a279e931aec2c984c
Size: 24.14 kB - nodejs-packaging-bundler-2021.06-4.module+el8+1750+6a160498.noarch.rpm
MD5: 0433935c50f77e2ea7184692e86c3958
SHA-256: 54fbaba14949fb3a355f4c468c7495475d1d2b127f8c88bb2570cd9830c5f7e3
Size: 13.76 kB - npm-10.5.0-1.20.12.2.2.module+el8+1750+6a160498.x86_64.rpm
MD5: c9b1bb3d6d8c87b71432576743cd8e9f
SHA-256: 24abc7ee0b214d7cdbcc8befef69bd7223d122badb99482e1d2ae28eabc7c380
Size: 2.06 MB
English