Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.DEBIAN_DSA-5170.NASL
HistoryJun 28, 2022 - 12:00 a.m.

Debian DSA-5170-1 : nodejs - security update

2022-06-2800:00:00
This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
18
JSON

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5170 advisory.

  • The parser in accepts requests with a space (SP) right after the header name before the colon. This can lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  • The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  • Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  • Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

  • Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.Affected versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node’s ambiguous presentation of certificate subjects may be vulnerable. (CVE-2021-44533)

  • Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be proto. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object these properties are being assigned to. (CVE-2022-21824)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Debian Security Advisory dsa-5170. The text
# itself is copyright (C) Software in the Public Interest, Inc.
#

include('compat.inc');

if (description)
{
  script_id(162561);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/10/19");

  script_cve_id(
    "CVE-2021-22959",
    "CVE-2021-22960",
    "CVE-2021-44531",
    "CVE-2021-44532",
    "CVE-2021-44533",
    "CVE-2022-21824"
  );

  script_name(english:"Debian DSA-5170-1 : nodejs - security update");

  script_set_attribute(attribute:"synopsis", value:
"The remote Debian host is missing one or more security-related updates.");
  script_set_attribute(attribute:"description", value:
"The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the
dsa-5170 advisory.

  - The parser in accepts requests with a space (SP) right after the header name before the colon. This can
    lead to HTTP Request Smuggling (HRS) in llhttp < v2.1.4 and < v6.0.6. (CVE-2021-22959)

  - The parse function in llhttp < 2.1.4 and < 6.0.6. ignores chunk extensions when parsing the body of
    chunked requests. This leads to HTTP Request Smuggling (HRS) under certain conditions. (CVE-2021-22960)

  - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a
    particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3,
    < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use.
    Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js
    with the fix for this disable the URI SAN type when checking a certificate against a hostname. This
    behavior can be reverted through the --security-revert command-line option. (CVE-2021-44531)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 converts SANs (Subject Alternative Names) to a
    string format. It uses this string to check peer certificates against hostnames when validating
    connections. The string format was subject to an injection vulnerability when name constraints were used
    within a certificate chain, allowing the bypass of these name constraints.Versions of Node.js with the fix
    for this escape SANs containing the problematic characters in order to prevent the injection. This
    behavior can be reverted through the --security-revert command-line option. (CVE-2021-44532)

  - Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 did not handle multi-value Relative Distinguished
    Names correctly. Attackers could craft certificate subjects containing a single-value Relative
    Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in
    order to inject a Common Name that would allow bypassing the certificate subject verification.Affected
    versions of Node.js that do not accept multi-value Relative Distinguished Names and are thus not
    vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation
    of certificate subjects may be vulnerable. (CVE-2021-44533)

  - Due to the formatting logic of the console.table() function it was not safe to allow user controlled
    input to be passed to the properties parameter while simultaneously passing a plain object with at least
    one property as the first parameter, which could be __proto__. The prototype pollution has very limited
    control, in that it only allows an empty string to be assigned to numerical keys of the object
    prototype.Node.js >= 12.22.9, >= 14.18.3, >= 16.13.2, and >= 17.3.1 use a null protoype for the object
    these properties are being assigned to. (CVE-2022-21824)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/source-package/nodejs");
  script_set_attribute(attribute:"see_also", value:"https://www.debian.org/security/2022/dsa-5170");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-22959");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-22960");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-44531");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-44532");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2021-44533");
  script_set_attribute(attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2022-21824");
  script_set_attribute(attribute:"see_also", value:"https://packages.debian.org/source/bullseye/nodejs");
  script_set_attribute(attribute:"solution", value:
"Upgrade the nodejs packages.

For the stable distribution (bullseye), these problems have been fixed in version 12.22.12~dfsg-1~deb11u1.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:P");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-21824");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2021/10/12");
  script_set_attribute(attribute:"patch_publication_date", value:"2022/06/27");
  script_set_attribute(attribute:"plugin_publication_date", value:"2022/06/28");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnode-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:libnode72");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:nodejs-doc");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:11.0");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Debian Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2022-2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);

var release = get_kb_item('Host/Debian/release');
if ( isnull(release) ) audit(AUDIT_OS_NOT, 'Debian');
var release = chomp(release);
if (! preg(pattern:"^(11)\.[0-9]+", string:release)) audit(AUDIT_OS_NOT, 'Debian 11.0', 'Debian ' + release);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Debian', cpu);

var pkgs = [
    {'release': '11.0', 'prefix': 'libnode-dev', 'reference': '12.22.12~dfsg-1~deb11u1'},
    {'release': '11.0', 'prefix': 'libnode72', 'reference': '12.22.12~dfsg-1~deb11u1'},
    {'release': '11.0', 'prefix': 'nodejs', 'reference': '12.22.12~dfsg-1~deb11u1'},
    {'release': '11.0', 'prefix': 'nodejs-doc', 'reference': '12.22.12~dfsg-1~deb11u1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var release = NULL;
  var prefix = NULL;
  var reference = NULL;
  if (!empty_or_null(package_array['release'])) release = package_array['release'];
  if (!empty_or_null(package_array['prefix'])) prefix = package_array['prefix'];
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (release && prefix && reference) {
    if (deb_check(release:release, prefix:prefix, reference:reference)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : deb_report_get()
  );
  exit(0);
}
else
{
  var tested = deb_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'libnode-dev / libnode72 / nodejs / nodejs-doc');
}
VendorProductVersionCPE
debiandebian_linuxlibnode-devp-cpe:/a:debian:debian_linux:libnode-dev
debiandebian_linuxlibnode72p-cpe:/a:debian:debian_linux:libnode72
debiandebian_linuxnodejsp-cpe:/a:debian:debian_linux:nodejs
debiandebian_linuxnodejs-docp-cpe:/a:debian:debian_linux:nodejs-doc
debiandebian_linux11.0cpe:/o:debian:debian_linux:11.0

Related

debian 1
osv 15
openvas 18
ibm 39
nessus 32
photon 3
nodejsblog 2
altlinux 2
redos 1
mageia 2
freebsd 2
rocky 4
almalinux 3
oraclelinux 2
fedora 5
redhat 7
suse 4
hackerone 4
archlinux 3
ubuntucve 6
prion 6
debiancve 6
veracode 6
alpinelinux 6
cve 6
redhatcve 6
cbl_mariner 8
debian
debian
[SECURITY] [DSA 5170-1] nodejs security update
2022-06-27 18:43:09
osv
osv
nodejs - security update
2022-06-27 00:00:00
Moderate: nodejs:14 security update
2022-11-08 00:00:00
Moderate: nodejs:14 security update
2022-11-08 10:51:23
openvas
openvas
Debian: Security Advisory (DSA-5170-1)
2022-06-29 00:00:00
Mageia: Security Advisory (MGASA-2022-0077)
2022-02-23 00:00:00
Fedora: Security Advisory for nodejs (FEDORA-2022-78090d2099)
2022-01-21 00:00:00
ibm
ibm
Security Bulletin: IBM InfoSphere Information Server is affected by multiple vulnerabilities in Node.js.
2022-04-27 23:07:00
Security Bulletin: Vulnerabilities in the Open Source Node.js runtime affect IBM Event Streams (CVE-2021-44533, CVE-2022-21824, CVE-2021-44531, CVE-2021-44532)
2022-07-12 15:05:41
Security Bulletin: IBM DataPower Gateway potentially affected by various vulnerabilities in Node
2022-07-29 18:33:15
nessus
nessus
Amazon Linux 2022 : nodejs (ALAS2022-2022-214)
2022-12-09 00:00:00
openSUSE 15 Security Update : nodejs14 (openSUSE-SU-2022:0112-1)
2022-01-19 00:00:00
Node.js 12.x < 12.22.9 / 14.x < 14.18.3 / 16.x < 16.13.2 / 17.x < 17.3.1 Multiple Vulnerabilities (January 10th 2022 Security Releases).
2022-02-03 00:00:00
photon
photon
Important Photon OS Security Update - PHSA-2022-0164
2022-03-22 00:00:00
Important Photon OS Security Update - PHSA-2022-0453
2022-03-23 00:00:00
Important Photon OS Security Update - PHSA-2022-4.0-0164
2022-03-22 00:00:00
nodejsblog
nodejsblog
January 10th 2022 Security Releases
2022-01-11 00:00:00
October 12th 2021 Security Releases
2021-10-12 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 16.13.2-alt1
2022-03-18 00:00:00
Security fix for the ALT Linux 10 package node version 14.18.2-alt1
2021-12-23 00:00:00
redos
redos
ROS-20220125-10
2022-01-25 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2022-02-22 23:15:16
Updated nodejs packages fix security vulnerability
2021-12-30 19:41:51
freebsd
freebsd
Node.js -- January 2022 Security Releases
2022-01-10 00:00:00
Node.js -- October 2021 Security Releases
2021-10-12 00:00:00
rocky
rocky
nodejs:14 security update
2022-11-08 10:51:23
12 bug fix and enhancement update
2022-06-21 11:47:44
nodejs:16 security, bug fix, and enhancement update
2022-12-15 15:42:25
almalinux
almalinux
Moderate: nodejs:14 security update
2022-11-08 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2022-12-15 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2021-12-15 19:09:29
oraclelinux
oraclelinux
nodejs:14 security update
2022-11-15 00:00:00
nodejs:16 security, bug fix, and enhancement update
2022-12-16 00:00:00
fedora
fedora
[SECURITY] Fedora 34 Update: nodejs-14.18.3-1.fc34
2022-01-20 08:35:12
[SECURITY] Fedora 35 Update: nodejs-16.13.2-1.fc35
2022-01-20 14:55:17
[SECURITY] Fedora 33 Update: nodejs-14.18.1-1.fc33
2021-10-23 03:25:54
redhat
redhat
(RHSA-2022:7830) Moderate: nodejs:14 security update
2022-11-08 10:51:23
(RHSA-2022:4914) Moderate: rh-nodejs12-nodejs security, bug fix, and enhancement update
2022-06-06 06:49:48
(RHSA-2022:7044) Moderate: rh-nodejs14-nodejs security update
2022-10-19 09:58:44
suse
suse
Security update for nodejs12 (moderate)
2022-04-17 00:00:00
Security update for nodejs12 (important)
2021-12-06 00:00:00
Security update for nodejs14 (important)
2021-12-07 00:00:00
hackerone
hackerone
Node.js: Node.js Certificate Verification Bypass via String Injection
2021-12-17 14:57:13
Node.js: HTTP Request Smuggling due to accepting space before colon
2021-06-20 11:10:00
Node.js: Prototype pollution via console.table properties
2021-12-20 00:35:48
archlinux
archlinux
[ASA-202110-4] nodejs: url request injection
2021-10-21 00:00:00
[ASA-202110-6] nodejs-lts-erbium: multiple issues
2021-10-21 00:00:00
[ASA-202110-5] nodejs-lts-fermium: multiple issues
2021-10-21 00:00:00
ubuntucve
ubuntucve
CVE-2021-44533
2022-02-24 00:00:00
CVE-2021-44531
2022-02-24 00:00:00
CVE-2021-44532
2022-02-24 00:00:00
prion
prion
Design/Logic Flaw
2022-02-24 19:15:00
Code injection
2022-02-24 19:15:00
Design/Logic Flaw
2022-02-24 19:15:00
debiancve
debiancve
CVE-2021-44531
2022-02-24 19:15:00
CVE-2021-44532
2022-02-24 19:15:00
CVE-2022-21824
2022-02-24 19:15:00
veracode
veracode
Improper Certificate Validation
2022-01-12 19:19:21
Arbitrary Code Execution
2022-01-12 19:19:15
HTTP Request Smuggling (HRS)
2021-10-13 17:26:57
alpinelinux
alpinelinux
CVE-2021-44533
2022-02-24 19:15:00
CVE-2021-22960
2021-11-03 20:15:00
CVE-2021-44531
2022-02-24 19:15:00
cve
cve
CVE-2021-22959
2021-11-15 15:15:00
CVE-2021-44532
2022-02-24 19:15:00
CVE-2021-44531
2022-02-24 19:15:00
redhatcve
redhatcve
CVE-2021-44533
2022-01-14 20:45:33
CVE-2021-44531
2022-01-14 19:54:26
CVE-2021-22959
2021-10-14 12:15:38
cbl_mariner
cbl_mariner
CVE-2021-44531 affecting package nodejs 14.17.2-2
2022-04-09 06:52:23
CVE-2021-44531 affecting package nodejs 14.18.1-1
2022-03-19 16:40:55
CVE-2021-44532 affecting package nodejs 14.18.1-1
2022-03-19 16:40:55
JSON
Related for DEBIAN_DSA-5170.NASL
debian1osv15openvas18ibm39nessus32photon3nodejsblog2altlinux2redos1mageia2freebsd2rocky4almalinux3oraclelinux2fedora5redhat7suse4hackerone4archlinux3ubuntucve6prion6debiancve6veracode6alpinelinux6cve6redhatcve6cbl_mariner8