This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.ROCKY_LINUX_RLSA-2019-2925.NASLRocky Linux 8 : nodejs:10 (RLSA-2019:2925)
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
98.3%
The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2019:2925 advisory.
-
In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1, an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive mode and by sending headers very slowly. This keeps the connection and associated resources alive for a long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1. (CVE-2019-5737) -
Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization manipulation, potentially leading to a denial of service. The attacker requests a large amount of data from a specified resource over multiple streams. They manipulate window size and stream priority to force the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9511)
-
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
(CVE-2019-9512) -
Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.
The attacker creates multiple request streams and continually shuffles the priority of the streams in a way that causes substantial churn to the priority tree. This can consume excess CPU. (CVE-2019-9513) -
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.
The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both. (CVE-2019-9514) -
Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both. (CVE-2019-9515)
-
Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and keep the allocation alive until the session dies. This can consume excess memory. (CVE-2019-9516) -
Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the wire. The attacker then sends a stream of requests for a large response object. Depending on how the servers queue the responses, this can consume excess memory, CPU, or both. (CVE-2019-9517) -
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag.
These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU. (CVE-2019-9518)
Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.
#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The package checks in this plugin were extracted from
# Rocky Linux Security Advisory RLSA-2019:2925.
##
include('compat.inc');
if (description)
{
script_id(184969);
script_version("1.3");
script_set_attribute(attribute:"plugin_modification_date", value:"2023/12/20");
script_cve_id(
"CVE-2019-5737",
"CVE-2019-9511",
"CVE-2019-9512",
"CVE-2019-9513",
"CVE-2019-9514",
"CVE-2019-9515",
"CVE-2019-9516",
"CVE-2019-9517",
"CVE-2019-9518"
);
script_xref(name:"RLSA", value:"2019:2925");
script_xref(name:"CEA-ID", value:"CEA-2019-0643");
script_name(english:"Rocky Linux 8 : nodejs:10 (RLSA-2019:2925)");
script_set_attribute(attribute:"synopsis", value:
"The remote Rocky Linux host is missing one or more security updates.");
script_set_attribute(attribute:"description", value:
"The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the
RLSA-2019:2925 advisory.
- In Node.js including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before 11.10.1,
an attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS connection in keep-alive
mode and by sending headers very slowly. This keeps the connection and associated resources alive for a
long period of time. Potential attacks are mitigated by the use of a load balancer or other proxy layer.
This vulnerability is an extension of CVE-2018-12121, addressed in November and impacts all active Node.js
release lines including 6.x before 6.17.0, 8.x before 8.15.1, 10.x before 10.15.2, and 11.x before
11.10.1. (CVE-2019-5737)
- Some HTTP/2 implementations are vulnerable to window size manipulation and stream prioritization
manipulation, potentially leading to a denial of service. The attacker requests a large amount of data
from a specified resource over multiple streams. They manipulate window size and stream priority to force
the server to queue the data in 1-byte chunks. Depending on how efficiently this data is queued, this can
consume excess CPU, memory, or both. (CVE-2019-9511)
- Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The
attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of
responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
(CVE-2019-9512)
- Some HTTP/2 implementations are vulnerable to resource loops, potentially leading to a denial of service.
The attacker creates multiple request streams and continually shuffles the priority of the streams in a
way that causes substantial churn to the priority tree. This can consume excess CPU. (CVE-2019-9513)
- Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service.
The attacker opens a number of streams and sends an invalid request over each stream that should solicit a
stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this
can consume excess memory, CPU, or both. (CVE-2019-9514)
- Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of
service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer
reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in
behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory,
or both. (CVE-2019-9515)
- Some HTTP/2 implementations are vulnerable to a header leak, potentially leading to a denial of service.
The attacker sends a stream of headers with a 0-length header name and 0-length header value, optionally
Huffman encoded into 1-byte or greater headers. Some implementations allocate memory for these headers and
keep the allocation alive until the session dies. This can consume excess memory. (CVE-2019-9516)
- Some HTTP/2 implementations are vulnerable to unconstrained interal data buffering, potentially leading to
a denial of service. The attacker opens the HTTP/2 window so the peer can send without constraint;
however, they leave the TCP window closed so the peer cannot actually write (many of) the bytes on the
wire. The attacker then sends a stream of requests for a large response object. Depending on how the
servers queue the responses, this can consume excess memory, CPU, or both. (CVE-2019-9517)
- Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of
service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag.
These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each
frame disproportionate to attack bandwidth. This can consume excess CPU. (CVE-2019-9518)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
script_set_attribute(attribute:"see_also", value:"https://errata.rockylinux.org/RLSA-2019:2925");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1735645");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1735741");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1735744");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1735745");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1735749");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1741860");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1741864");
script_set_attribute(attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=1741868");
script_set_attribute(attribute:"solution", value:
"Update the affected nodejs-nodemon and / or nodejs-packaging packages.");
script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C");
script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H");
script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
script_set_attribute(attribute:"cvss_score_source", value:"CVE-2019-9518");
script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
script_set_attribute(attribute:"exploit_available", value:"false");
script_set_attribute(attribute:"vuln_publication_date", value:"2019/02/28");
script_set_attribute(attribute:"patch_publication_date", value:"2019/09/30");
script_set_attribute(attribute:"plugin_publication_date", value:"2023/11/07");
script_set_attribute(attribute:"plugin_type", value:"local");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-nodemon");
script_set_attribute(attribute:"cpe", value:"p-cpe:/a:rocky:linux:nodejs-packaging");
script_set_attribute(attribute:"cpe", value:"cpe:/o:rocky:linux:8");
script_set_attribute(attribute:"generated_plugin", value:"current");
script_end_attributes();
script_category(ACT_GATHER_INFO);
script_family(english:"Rocky Linux Local Security Checks");
script_copyright(english:"This script is Copyright (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");
script_dependencies("ssh_get_info.nasl");
script_require_keys("Host/local_checks_enabled", "Host/RockyLinux/release", "Host/RockyLinux/rpm-list", "Host/cpu");
exit(0);
}
include('rpm.inc');
if (!get_kb_item('Host/local_checks_enabled')) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/RockyLinux/release');
if (isnull(os_release) || 'Rocky Linux' >!< os_release) audit(AUDIT_OS_NOT, 'Rocky Linux');
var os_ver = pregmatch(pattern: "Rocky(?: Linux)? release ([0-9]+(\.[0-9]+)?)", string:os_release);
if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, 'Rocky Linux');
os_ver = os_ver[1];
if (! preg(pattern:"^8([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, 'Rocky Linux 8.x', 'Rocky Linux ' + os_ver);
if (!get_kb_item('Host/RockyLinux/rpm-list')) audit(AUDIT_PACKAGE_LIST_MISSING);
var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Rocky Linux', cpu);
var module_ver = get_kb_item('Host/RockyLinux/appstream/nodejs');
if (isnull(module_ver)) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:10');
if ('10' >!< module_ver) audit(AUDIT_PACKAGE_NOT_AFFECTED, 'Module nodejs:' + module_ver);
var appstreams = {
'nodejs:10': [
{'reference':'nodejs-nodemon-1.18.3-1.module+el8.3.0+101+f84c7154', 'release':'8', 'rpm_spec_vers_cmp':TRUE},
{'reference':'nodejs-packaging-17-3.module+el8.3.0+101+f84c7154', 'release':'8', 'rpm_spec_vers_cmp':TRUE, 'allowmaj':TRUE}
]
};
var flag = 0;
var appstreams_found = 0;
foreach var module (keys(appstreams)) {
var appstream = NULL;
var appstream_name = NULL;
var appstream_version = NULL;
var appstream_split = split(module, sep:':', keep:FALSE);
if (!empty_or_null(appstream_split)) {
appstream_name = appstream_split[0];
appstream_version = appstream_split[1];
if (!empty_or_null(appstream_name)) appstream = get_one_kb_item('Host/RockyLinux/appstream/' + appstream_name);
}
if (!empty_or_null(appstream) && appstream_version == appstream || appstream_name == 'all') {
appstreams_found++;
foreach var package_array ( appstreams[module] ) {
var reference = NULL;
var _release = NULL;
var sp = NULL;
var _cpu = NULL;
var el_string = NULL;
var rpm_spec_vers_cmp = NULL;
var epoch = NULL;
var allowmaj = NULL;
var exists_check = NULL;
if (!empty_or_null(package_array['reference'])) reference = package_array['reference'];
if (!empty_or_null(package_array['release'])) _release = 'Rocky-' + package_array['release'];
if (!empty_or_null(package_array['sp'])) sp = package_array['sp'];
if (!empty_or_null(package_array['cpu'])) _cpu = package_array['cpu'];
if (!empty_or_null(package_array['el_string'])) el_string = package_array['el_string'];
if (!empty_or_null(package_array['rpm_spec_vers_cmp'])) rpm_spec_vers_cmp = package_array['rpm_spec_vers_cmp'];
if (!empty_or_null(package_array['epoch'])) epoch = package_array['epoch'];
if (!empty_or_null(package_array['allowmaj'])) allowmaj = package_array['allowmaj'];
if (!empty_or_null(package_array['exists_check'])) exists_check = package_array['exists_check'];
if (reference && _release && (!exists_check || rpm_exists(release:_release, rpm:exists_check))) {
if (rpm_check(release:_release, sp:sp, cpu:_cpu, reference:reference, epoch:epoch, el_string:el_string, rpm_spec_vers_cmp:rpm_spec_vers_cmp, allowmaj:allowmaj)) flag++;
}
}
}
}
if (!appstreams_found) audit(AUDIT_PACKAGE_NOT_INSTALLED, 'Module nodejs:10');
if (flag)
{
security_report_v4(
port : 0,
severity : SECURITY_HOLE,
extra : rpm_report_get()
);
exit(0);
}
else
{
var tested = pkg_tests_get();
if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'nodejs-nodemon / nodejs-packaging');
}
References
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5737
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9511
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9513
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9516
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9517
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9518
bugzilla.redhat.com/show_bug.cgi?id=1735645
bugzilla.redhat.com/show_bug.cgi?id=1735741
bugzilla.redhat.com/show_bug.cgi?id=1735744
bugzilla.redhat.com/show_bug.cgi?id=1735745
bugzilla.redhat.com/show_bug.cgi?id=1735749
bugzilla.redhat.com/show_bug.cgi?id=1741860
bugzilla.redhat.com/show_bug.cgi?id=1741864
bugzilla.redhat.com/show_bug.cgi?id=1741868
errata.rockylinux.org/RLSA-2019:2925
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:N/I:N/A:C
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
98.3%