Headline
Ubuntu Security Notice USN-6643-1
Ubuntu Security Notice 6643-1 - Emre Durmaz discovered that NPM IP package incorrectly distinguished between private and public IP addresses. A remote attacker could possibly use this issue to perform Server-Side Request Forgery attacks.
==========================================================================
Ubuntu Security Notice USN-6643-1
February 19, 2024
node-ip vulnerability
A security issue affects these releases of Ubuntu and its derivatives:
- Ubuntu 23.10
- Ubuntu 22.04 LTS (Available with Ubuntu Pro)
- Ubuntu 20.04 LTS (Available with Ubuntu Pro)
- Ubuntu 18.04 LTS (Available with Ubuntu Pro)
Summary:
NPM IP could be made to expose sensitive information over the
network.
Software Description:
- node-ip: IP address utilities for node.js
Details:
Emre Durmaz discovered that NPM IP package incorrectly distinguished
between private and public IP addresses. A remote attacker could
possibly use this issue to perform
Server-Side Request Forgery (SSRF) attacks.
Update instructions:
The problem can be corrected by updating your system to the following
package versions:
Ubuntu 23.10:
node-ip 2.0.0+~1.1.0-1ubuntu0.1
Ubuntu 22.04 LTS (Available with Ubuntu Pro):
node-ip 1.1.5+~1.1.0-1ubuntu0.1~esm1
Ubuntu 20.04 LTS (Available with Ubuntu Pro):
node-ip 1.1.5-5ubuntu0.1~esm1
Ubuntu 18.04 LTS (Available with Ubuntu Pro):
node-ip 1.1.5-1ubuntu0.1~esm1
In general, a standard system update will make all the necessary changes.
References:
https://ubuntu.com/security/notices/USN-6643-1
CVE-2023-42282
Package Information:
https://launchpad.net/ubuntu/+source/node-ip/2.0.0+~1.1.0-1ubuntu0.1
Related news
Red Hat Security Advisory 2024-3868-03 - Network Observability 1.6 for Red Hat OpenShift. Issues addressed include code execution, denial of service, memory exhaustion, and password leak vulnerabilities.
Red Hat Security Advisory 2024-3550-03 - HawtIO 4.0.0 for Red Hat build of Apache Camel 4 GA Release is now available. Issues addressed include code execution, denial of service, and password leak vulnerabilities.
An issue in NPM IP Package v.1.1.8 and before allows an attacker to execute arbitrary code and obtain sensitive information via the `isPublic()` function. This can lead to potential Server-Side Request Forgery (SSRF) attacks. The core issue is the function's failure to accurately distinguish between public and private IP addresses.