Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Security Advisory 2023-4330-01

Red Hat Security Advisory 2023-4330-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Packet Storm
#vulnerability#linux#red_hat#nodejs#js#java

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
Red Hat Security Advisory

Synopsis: Moderate: nodejs:18 security, bug fix, and enhancement update
Advisory ID: RHSA-2023:4330-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2023:4330
Issue date: 2023-07-31
CVE Names: CVE-2023-30581 CVE-2023-30588 CVE-2023-30589
CVE-2023-30590
=====================================================================

  1. Summary:

An update for the nodejs:18 module is now available for Red Hat Enterprise
Linux 9.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

  1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 9) - aarch64, noarch, ppc64le, s390x, x86_64

  1. Description:

Node.js is a software development platform for building fast and scalable
network applications in the JavaScript programming language.

The package has been upgraded to a later upstream version: nodejs (18).
(BZ#2223314, BZ#2223316, BZ#2223318, BZ#2223319, BZ#2223320, BZ#2223354)

Security Fix(es):

  • nodejs: mainModule.proto bypass experimental policy mechanism
    (CVE-2023-30581)

  • nodejs: process interuption due to invalid Public Key information in x509
    certificates (CVE-2023-30588)

  • nodejs: HTTP Request Smuggling via Empty headers separated by CR
    (CVE-2023-30589)

  • nodejs: DiffieHellman do not generate keys after setting a private key
    (CVE-2023-30590)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

  1. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

  1. Bugs fixed (https://bugzilla.redhat.com/):

2219824 - CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism
2219838 - CVE-2023-30588 nodejs: process interuption due to invalid Public Key information in x509 certificates
2219841 - CVE-2023-30589 nodejs: HTTP Request Smuggling via Empty headers separated by CR
2219842 - CVE-2023-30590 nodejs: DiffieHellman do not generate keys after setting a private key
2223320 - nodejs:18/nodejs: Remove /usr/etc/npmrc softlink. [rhel-9] [rhel-9.2.0.z]

  1. Package List:

Red Hat Enterprise Linux AppStream (v. 9):

Source:
nodejs-18.16.1-1.module+el9.2.0.z+19424+78951f07.src.rpm
nodejs-nodemon-2.0.20-2.module+el9.2.0.z+18497+a402347c.src.rpm
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.src.rpm

aarch64:
nodejs-18.16.1-1.module+el9.2.0.z+19424+78951f07.aarch64.rpm
nodejs-debuginfo-18.16.1-1.module+el9.2.0.z+19424+78951f07.aarch64.rpm
nodejs-debugsource-18.16.1-1.module+el9.2.0.z+19424+78951f07.aarch64.rpm
nodejs-devel-18.16.1-1.module+el9.2.0.z+19424+78951f07.aarch64.rpm
nodejs-full-i18n-18.16.1-1.module+el9.2.0.z+19424+78951f07.aarch64.rpm
npm-9.5.1-1.18.16.1.1.module+el9.2.0.z+19424+78951f07.aarch64.rpm

noarch:
nodejs-docs-18.16.1-1.module+el9.2.0.z+19424+78951f07.noarch.rpm
nodejs-nodemon-2.0.20-2.module+el9.2.0.z+18497+a402347c.noarch.rpm
nodejs-packaging-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm
nodejs-packaging-bundler-2021.06-4.module+el9.1.0+15718+e52ec601.noarch.rpm

ppc64le:
nodejs-18.16.1-1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm
nodejs-debuginfo-18.16.1-1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm
nodejs-debugsource-18.16.1-1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm
nodejs-devel-18.16.1-1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm
nodejs-full-i18n-18.16.1-1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm
npm-9.5.1-1.18.16.1.1.module+el9.2.0.z+19424+78951f07.ppc64le.rpm

s390x:
nodejs-18.16.1-1.module+el9.2.0.z+19424+78951f07.s390x.rpm
nodejs-debuginfo-18.16.1-1.module+el9.2.0.z+19424+78951f07.s390x.rpm
nodejs-debugsource-18.16.1-1.module+el9.2.0.z+19424+78951f07.s390x.rpm
nodejs-devel-18.16.1-1.module+el9.2.0.z+19424+78951f07.s390x.rpm
nodejs-full-i18n-18.16.1-1.module+el9.2.0.z+19424+78951f07.s390x.rpm
npm-9.5.1-1.18.16.1.1.module+el9.2.0.z+19424+78951f07.s390x.rpm

x86_64:
nodejs-18.16.1-1.module+el9.2.0.z+19424+78951f07.x86_64.rpm
nodejs-debuginfo-18.16.1-1.module+el9.2.0.z+19424+78951f07.x86_64.rpm
nodejs-debugsource-18.16.1-1.module+el9.2.0.z+19424+78951f07.x86_64.rpm
nodejs-devel-18.16.1-1.module+el9.2.0.z+19424+78951f07.x86_64.rpm
nodejs-full-i18n-18.16.1-1.module+el9.2.0.z+19424+78951f07.x86_64.rpm
npm-9.5.1-1.18.16.1.1.module+el9.2.0.z+19424+78951f07.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

  1. References:

https://access.redhat.com/security/cve/CVE-2023-30581
https://access.redhat.com/security/cve/CVE-2023-30588
https://access.redhat.com/security/cve/CVE-2023-30589
https://access.redhat.com/security/cve/CVE-2023-30590
https://access.redhat.com/security/updates/classification/#moderate

  1. Contact:

The Red Hat security contact is [email protected]. More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2023 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJkx8M4AAoJENzjgjWX9erEoSIP/j4d1OLyPMaW+WXQ8DIAIEyw
9eoGF848liFvv8vEyOidaapWgTwM6Fv7voipKA+cKTdlaYDPVpC1C6OQpgJbICGE
I9ASFSufFqfyxkcST6nsUw2c7vkD8hE6wLgJUt1OcuPoudLnhxJKMB6a3tsxkQGx
A4iCH9xNH6jgJ8jXFpp7DZxUe5EBNU9b+3UfhX5Jm7WPStUZQUyTs3Gc6Q3H6sc8
8YXa8UqscqDYjjj0kEkWP7a5J3LfrQrgxU9AUbKrUlg50arGGH/vqjuXPbRhPett
dB0arbp5reeBM3mXGGHPzxPK094GGsHEGIigLWOuiTVnzxr/y4pNQ5L8faVgC3E1
2ti8rA0DHr5+ykCp+lcGNBZLot9HSj2CdKAtsjFGuGtL9QmTK7vdQ5p4lj0F8TLE
2o5YbA6CA0W0Jw3e8Cqp9bY+eZh6eXTcrmCW5+1AFSBV6LUZnIzLc2eko/2xRDNu
gIiQ/p3uIfV7NyvevacGbfS/z6yxnjDUu2lRPv4IKIgX4pwVh/D0xzVuXtjNPax3
1eZ8fnwk3mpGkIbHTR2blk1P6ObXblTz/8Nl91wIFOj0W0fQ1ltzksVcXC3jzWOa
da38nBWGPNh+V64Baml2NBZ3/axKf6NY3wCSEMFnFnrh9vHsb+sUatdIMXMeTSf/
HebQn8WWp67DtawJbpmP
=iEQ4
-----END PGP SIGNATURE-----

RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Related news

Gentoo Linux Security Advisory 202405-29

Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.

Ubuntu Security Notice USN-6735-1

Ubuntu Security Notice 6735-1 - It was discovered that Node.js incorrectly handled the use of invalid public keys while creating an x509 certificate. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Node.js incorrectly handled the use of CRLF sequences to delimit HTTP requests. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to obtain unauthorised access. This issue only affected Ubuntu 23.10.

Debian Security Advisory 5589-1

Debian Linux Security Advisory 5589-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of policy feature checks, denial of service or loading of incorrect ICU data.

CVE-2023-30581: Tuesday June 20 2023 Security Releases | Node.js

The use of __proto__ in process.mainModule.__proto__.require() can bypass the policy mechanism and require modules outside of the policy.json definition. This vulnerability affects all users using the experimental policy mechanism in all active release lines: v16, v18 and, v20. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js

CVE-2023-38735: Security Bulletin: IBM Cognos Dashboards on Cloud Pak for Data has addressed security vulnerabilities

IBM Cognos Dashboards on Cloud Pak for Data 4.7.0 could allow a remote attacker to bypass security restrictions, caused by a reverse tabnabbing flaw. An attacker could exploit this vulnerability and redirect a victim to a phishing site. IBM X-Force ID: 262482.

CVE-2023-22130: Oracle Critical Patch Update Advisory - October 2023

Vulnerability in the Sun ZFS Storage Appliance product of Oracle Systems (component: Core). The supported version that is affected is 8.8.60. Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Sun ZFS Storage Appliance. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Sun ZFS Storage Appliance. CVSS 3.1 Base Score 5.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H).

Red Hat Security Advisory 2023-5533-01

Red Hat Security Advisory 2023-5533-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling, buffer overflow, bypass, crlf injection, and denial of service vulnerabilities.

RHSA-2023:5533: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-4904: A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. * CVE-2022-25881: A flaw was found in http-cache-se...

Red Hat Security Advisory 2023-5361-01

Red Hat Security Advisory 2023-5361-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling, bypass, and denial of service vulnerabilities.

RHSA-2023:5361: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-25883: A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in node-semver package via the 'new Range' function. This issue could allow an attacker to pass untrusted malicious regex user data as a range, causing the service to excessively consume CPU depending upon the input size, resulting ...

Red Hat Security Advisory 2023-4536-01

Red Hat Security Advisory 2023-4536-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

Red Hat Security Advisory 2023-4537-01

Red Hat Security Advisory 2023-4537-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. The package has been upgraded to a later upstream version: nodejs. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4537: Red Hat Security Advisory: nodejs:16 security, bug fix, and enhancement update

An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

RHSA-2023:4536: Red Hat Security Advisory: nodejs:18 security, bug fix, and enhancement update

An update for the nodejs:18 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to de...

Red Hat Security Advisory 2023-4331-01

Red Hat Security Advisory 2023-4331-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and bypass vulnerabilities.

RHSA-2023:4331: Red Hat Security Advisory: nodejs security, bug fix, and enhancement update

An update for nodejs is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2023-30581: No description is available for this CVE. * CVE-2023-30588: No description is available for this CVE. * CVE-2023-30589: The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP hea...

CVE-2023-37276: aiohttp.web.Application vulnerable to HTTP request smuggling via llhttp HTTP request parser

aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. aiohttp v3.8.4 and earlier are bundled with llhttp v6.0.6. Vulnerable code is used by aiohttp for its HTTP request parser when available which is the default case when installing from a wheel. This vulnerability only affects users of aiohttp as an HTTP server (ie `aiohttp.Application`), you are not affected by this vulnerability if you are using aiohttp as an HTTP client library (ie `aiohttp.ClientSession`). Sending a crafted HTTP request will cause the server to misinterpret one of the HTTP header values leading to HTTP request smuggling. This issue has been addressed in version 3.8.5. Users are advised to upgrade. Users unable to upgrade can reinstall aiohttp using `AIOHTTP_NO_EXTENSIONS=1` as an environment variable to disable the llhttp HTTP request parser implementation. The pure Python implementation isn't vulnerable.

CVE-2023-30589

The llhttp parser in the http module in Node v20.2.0 does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS). The CR character (without LF) is sufficient to delimit HTTP header fields in the llhttp parser. According to RFC7230 section 3, only the CRLF sequence should delimit each header-field. This impacts all Node.js active versions: v16, v18, and, v20

Packet Storm: Latest News

Acronis Cyber Protect/Backup Remote Code Execution