Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
nessusThis script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ORACLELINUX_ELSA-2023-2654.NASL
HistoryMay 17, 2023 - 12:00 a.m.

Oracle Linux 9 : nodejs:18 (ELSA-2023-2654)

2023-05-1700:00:00
This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.
www.tenable.com
11
oracle linux 9
node.js
vulnerability
redos
crlf injection
privilege escalation
cryptographic weakness
untrusted search path

0.001 Low

EPSS

Percentile

50.7%

JSON

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2023-2654 advisory.

  • The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service) attacks against the enclosure regular expression. (CVE-2021-35065)

  • Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the undici library does not protect host HTTP header from CRLF injection vulnerabilities. This issue is patched in Undici v5.19.1. As a workaround, sanitize the headers.host string before passing to undici.
    (CVE-2023-23936)

  • A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in Node.js and access non authorized modules by using process.mainModule.require(). This only affects users who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

  • This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via malicious request header values sent to a server, when that server reads the cache policy from the request using this library. (CVE-2022-25881)

  • A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

  • A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases did does not clear the OpenSSL error stack after operations that may set it. This may lead to false positive errors during subsequent cryptographic operations that happen to be on the same thread. This in turn could be used to cause a denial of service. (CVE-2023-23919)

  • An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that could allow an attacker to search and potentially load ICU data when running with elevated privileges.
    (CVE-2023-23920)

  • Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the Headers.set() and Headers.append() methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when untrusted values are passed into the functions. This is due to the inefficient regular expression used to normalize the values in the headerValueNormalize() utility function. This vulnerability was patched in v5.19.1. No known workarounds are available. (CVE-2023-24807)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Oracle Linux Security Advisory ELSA-2023-2654.
##

include('compat.inc');

if (description)
{
  script_id(175991);
  script_version("1.1");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/09/18");

  script_cve_id(
    "CVE-2021-35065",
    "CVE-2022-4904",
    "CVE-2022-25881",
    "CVE-2023-23918",
    "CVE-2023-23919",
    "CVE-2023-23920",
    "CVE-2023-23936",
    "CVE-2023-24807"
  );

  script_name(english:"Oracle Linux 9 : nodejs:18 (ELSA-2023-2654)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Oracle Linux host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the
ELSA-2023-2654 advisory.

  - The glob-parent package before 6.0.1 for Node.js allows ReDoS (regular expression denial of service)
    attacks against the enclosure regular expression. (CVE-2021-35065)

  - Undici is an HTTP/1.1 client for Node.js. Starting with version 2.0.0 and prior to version 5.19.1, the
    undici library does not protect `host` HTTP header from CRLF injection vulnerabilities. This issue is
    patched in Undici v5.19.1. As a workaround, sanitize the `headers.host` string before passing to undici.
    (CVE-2023-23936)

  - A privilege escalation vulnerability exists in Node.js <19.6.1, <18.14.1, <16.19.1 and <14.21.3 that made
    it possible to bypass the experimental Permissions (https://nodejs.org/api/permissions.html) feature in
    Node.js and access non authorized modules by using process.mainModule.require(). This only affects users
    who had enabled the experimental permissions option with --experimental-policy. (CVE-2023-23918)

  - This affects versions of the package http-cache-semantics before 4.1.1. The issue can be exploited via
    malicious request header values sent to a server, when that server reads the cache policy from the request
    using this library. (CVE-2022-25881)

  - A flaw was found in the c-ares package. The ares_set_sortlist is missing checks about the validity of the
    input string, which allows a possible arbitrary length stack overflow. This issue may cause a denial of
    service or a limited impact on confidentiality and integrity. (CVE-2022-4904)

  - A cryptographic vulnerability exists in Node.js <19.2.0, <18.14.1, <16.19.1, <14.21.3 that in some cases
    did does not clear the OpenSSL error stack after operations that may set it. This may lead to false
    positive errors during subsequent cryptographic operations that happen to be on the same thread. This in
    turn could be used to cause a denial of service. (CVE-2023-23919)

  - An untrusted search path vulnerability exists in Node.js. <19.6.1, <18.14.1, <16.19.1, and <14.21.3 that
    could allow an attacker to search and potentially load ICU data when running with elevated privileges.
    (CVE-2023-23920)

  - Undici is an HTTP/1.1 client for Node.js. Prior to version 5.19.1, the `Headers.set()` and
    `Headers.append()` methods are vulnerable to Regular Expression Denial of Service (ReDoS) attacks when
    untrusted values are passed into the functions. This is due to the inefficient regular expression used to
    normalize the values in the `headerValueNormalize()` utility function. This vulnerability was patched in
    v5.19.1. No known workarounds are available. (CVE-2023-24807)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://linux.oracle.com/errata/ELSA-2023-2654.html");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2022-4904");

  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");

  script_set_attribute(attribute:"vuln_publication_date", value:"2022/12/26");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/05/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/05/17");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:9");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-devel");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-docs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-full-i18n");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-nodemon");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-packaging");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:nodejs-packaging-bundler");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:npm");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Oracle Linux Local Security Checks");

  script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/local_checks_enabled");

  exit(0);
}


include('rpm.inc');

if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
if (!get_kb_item('Host/OracleLinux')) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_release = get_kb_item("Host/RedHat/release");
if (isnull(os_release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:os_release)) audit(AUDIT_OS_NOT, 'Oracle Linux');
var os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Oracle Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^9([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Oracle Linux 9', 'Oracle Linux ' + os_ver);

if (!get_kb_item('Host/RedHat/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Oracle Linux', cpu);

var pkgs = [
    {'reference':'nodejs-docs-18.14.2-2.module+el9.2.0+21038+115df6a2', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-nodemon-2.0.20-2.module+el9.2.0+21038+115df6a2', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs-packaging-2021.06-4.module+el9.1.0+20762+f52d7401', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs-packaging-bundler-2021.06-4.module+el9.1.0+20762+f52d7401', 'release':'9', 'rpm_spec_vers_cmp':TRUE},
    {'reference':'nodejs-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-devel-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-full-i18n-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'npm-9.5.0-1.18.14.2.2.module+el9.2.0+21038+115df6a2', 'cpu':'aarch64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-devel-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'nodejs-full-i18n-18.14.2-2.module+el9.2.0+21038+115df6a2', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'},
    {'reference':'npm-9.5.0-1.18.14.2.2.module+el9.2.0+21038+115df6a2', 'cpu':'x86_64', 'release':'9', 'rpm_spec_vers_cmp':TRUE, 'epoch':'1'}
];

var flag = 0;
foreach var package_array ( pkgs ) {
  var reference = NULL;
  var _release = NULL;
  var sp = NULL;
  var _cpu = NULL;
  var el_string = NULL;
  var rpm_spec_vers_cmp = NULL;
  var epoch = NULL;
  var allowmaj = NULL;
  var exists_check = NULL;
  if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
  if (!empty_or_null(package_array['release'])) _release = 'EL' + package_array['release'];
  if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
  if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
  if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
  if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
  if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
  if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
  if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
  if (reference && _release) {
    if (exists_check) {
        if (rpm_exists(release:_release, rpm:exists_check) && rpm_check(release:_release, sp:sp, cpu:cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    } else {
        if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
    }
  }
}

if (flag)
{
  security_report_v4(
      port       : 0,
      severity   : SECURITY_HOLE,
      extra      : rpm_report_get()
  );
  exit(0);
}
else
{
  var tested = pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs / nodejs-devel / nodejs-docs / etc');
}
VendorProductVersionCPE
oraclelinux9cpe:/o:oracle:linux:9
oraclelinuxnodejsp-cpe:/a:oracle:linux:nodejs
oraclelinuxnodejs-develp-cpe:/a:oracle:linux:nodejs-devel
oraclelinuxnodejs-docsp-cpe:/a:oracle:linux:nodejs-docs
oraclelinuxnodejs-full-i18np-cpe:/a:oracle:linux:nodejs-full-i18n
oraclelinuxnodejs-nodemonp-cpe:/a:oracle:linux:nodejs-nodemon
oraclelinuxnodejs-packagingp-cpe:/a:oracle:linux:nodejs-packaging
oraclelinuxnodejs-packaging-bundlerp-cpe:/a:oracle:linux:nodejs-packaging-bundler
oraclelinuxnpmp-cpe:/a:oracle:linux:npm

Related

oraclelinux 5
osv 22
nessus 49
almalinux 5
rocky 4
redhat 9
fedora 6
openvas 23
ibm 14
nodejsblog 1
altlinux 1
mageia 1
f5 2
ubuntu 1
alpinelinux 4
redhatcve 6
prion 6
hackerone 5
nvd 6
cve 6
ubuntucve 4
cbl_mariner 5
cvelist 4
veracode 4
debiancve 3
github 2
photon 1
oraclelinux
oraclelinux
nodejs:16 security, bug fix, and enhancement update
2023-04-05 00:00:00
nodejs:18 security, bug fix, and enhancement update
2023-05-17 00:00:00
nodejs:18 security, bug fix, and enhancement update
2023-04-05 00:00:00
osv
osv
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-05-09 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2023-04-04 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2023-04-06 15:52:43
nessus
nessus
RHEL 9 : nodejs:18 (RHSA-2023:2654)
2023-05-13 00:00:00
Rocky Linux 8 : nodejs:16 (RLSA-2023:1582)
2023-04-06 00:00:00
RHEL 8 : nodejs:16 (RHSA-2023:1582)
2024-01-26 00:00:00
almalinux
almalinux
Moderate: nodejs:18 security, bug fix, and enhancement update
2023-05-09 00:00:00
Moderate: nodejs:16 security, bug fix, and enhancement update
2023-04-04 00:00:00
Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-05-09 00:00:00
rocky
rocky
nodejs:16 security, bug fix, and enhancement update
2023-04-06 15:52:43
nodejs:18 security, bug fix, and enhancement update
2023-04-06 15:52:43
nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-05-25 19:53:09
redhat
redhat
(RHSA-2023:1582) Moderate: nodejs:16 security, bug fix, and enhancement update
2023-04-04 08:51:33
(RHSA-2023:2654) Moderate: nodejs:18 security, bug fix, and enhancement update
2023-05-09 11:25:28
(RHSA-2023:2655) Moderate: nodejs and nodejs-nodemon security, bug fix, and enhancement update
2023-05-09 11:25:41
fedora
fedora
[SECURITY] Fedora 38 Update: nodejs20-19.8.1-7.fc38
2023-04-04 18:17:01
[SECURITY] Fedora 38 Update: nodejs16-16.20.0-2.fc38
2023-04-04 18:17:01
[SECURITY] Fedora 38 Update: nodejs18-18.15.0-6.fc38
2023-04-04 18:17:01
openvas
openvas
Fedora: Security Advisory for nodejs18 (FEDORA-2023-973319d5b7)
2023-04-05 00:00:00
Fedora: Security Advisory for nodejs16 (FEDORA-2023-973319d5b7)
2023-04-05 00:00:00
Fedora: Security Advisory for nodejs20 (FEDORA-2023-973319d5b7)
2023-04-05 00:00:00
ibm
ibm
Security Bulletin: Multiple vulnerabilities present in IBM Answer Retrieval for Watson Discovery versions 2.10 and earlier
2023-03-15 17:24:51
Security Bulletin: IBM Watson Discovery Cartridge for IBM Cloud Pak for Data affected by vulnerability in Node.js
2023-06-28 20:58:14
Security Bulletin: Platform Navigator and Automation Assets in IBM Cloud Pak for Integration are vulnerable to multiple vulnerabilities in Node.js
2023-04-03 15:27:47
nodejsblog
nodejsblog
Thursday February 16 2023 Security Releases
2023-02-16 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 10 package node version 16.19.1-alt1
2023-03-22 00:00:00
mageia
mageia
Updated nodejs packages fix security vulnerability
2023-03-02 00:14:31
f5
f5
K000134602 : Node.js vulnerabilities CVE-2023-23918 and CVE-2023-23920
2023-05-15 00:00:00
K000133616 : Node.js vulnerability CVE-2023-23919
2023-04-22 00:00:00
ubuntu
ubuntu
Node.js vulnerabilities
2024-03-04 00:00:00
alpinelinux
alpinelinux
CVE-2023-23919
2023-02-23 20:15:13
CVE-2023-23920
2023-02-23 20:15:14
CVE-2023-23918
2023-02-23 20:15:13
redhatcve
redhatcve
CVE-2023-23936
2023-02-21 16:29:21
CVE-2023-23919
2023-02-21 15:59:29
CVE-2021-35065
2022-12-26 12:34:50
prion
prion
Crlf injection
2023-02-16 18:15:00
Design/Logic Flaw
2023-02-23 20:15:00
Design/Logic Flaw
2023-02-16 18:15:00
hackerone
hackerone
Internet Bug Bounty: CRLF Injection in Nodejs ‘undici’ via host
2023-02-18 14:54:34
Node.js: Permissions policies can be bypassed via process.mainModule
2022-10-24 11:29:58
Internet Bug Bounty: CVE-2023-23919: Multiple OpenSSL error handling issues in nodejs crypto library
2023-02-17 19:23:20
nvd
nvd
CVE-2021-35065
2022-12-26 07:15:11
CVE-2023-23918
2023-02-23 20:15:13
CVE-2023-24807
2023-02-16 18:15:12
cve
cve
CVE-2023-23936
2023-02-16 18:15:10
CVE-2023-23919
2023-02-23 20:15:13
CVE-2021-35065
2022-12-26 07:15:11
ubuntucve
ubuntucve
CVE-2023-23936
2023-02-16 00:00:00
CVE-2023-23919
2023-02-23 00:00:00
CVE-2023-23918
2023-02-23 00:00:00
cbl_mariner
cbl_mariner
CVE-2023-23936 affecting package nodejs for versions less than 16.19.1-1
2023-03-24 23:56:25
CVE-2023-23919 affecting package nodejs for versions less than 16.19.1-1
2023-03-24 23:56:25
CVE-2023-23920 affecting package nodejs 14.21.1-3
2023-08-15 16:37:27
cvelist
cvelist
CVE-2023-23936 CRLF Injection in Nodejs ‘undici’ via host
2023-02-16 17:30:23
CVE-2021-35065
2022-12-26 00:00:00
CVE-2023-23919
2023-02-23 00:00:00
veracode
veracode
CRLF Injection
2023-02-17 03:00:42
Improper Access Control
2023-02-18 04:53:51
Denial Of Service (DoS)
2023-02-18 05:18:49
debiancve
debiancve
CVE-2021-35065
2022-12-26 07:15:11
CVE-2023-23936
2023-02-16 18:15:10
CVE-2023-23920
2023-02-23 20:15:14
github
github
glob-parent 6.0.0 vulnerable to Regular Expression Denial of Service
2022-07-18 17:03:23
CRLF Injection in Nodejs ‘undici’ via host
2023-02-16 20:46:30
photon
photon
Critical Photon OS Security Update - PHSA-2023-5.0-0011
2023-05-24 00:00:00

0.001 Low

EPSS

Percentile

50.7%

JSON
Related for ORACLELINUX_ELSA-2023-2654.NASL
oraclelinux5osv22nessus49almalinux5rocky4redhat9fedora6openvas23ibm14nodejsblog1altlinux1mageia1f52ubuntu1alpinelinux4redhatcve6prion6hackerone5nvd6cve6ubuntucve4cbl_mariner5cvelist4veracode4debiancve3github2photon1