Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

ALAS2022-2022-019

Related Vulnerabilities: CVE-2021-44531   CVE-2021-44532   CVE-2021-44533   CVE-2022-21824  

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531) It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host. (CVE-2021-44532) A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533) Prototype pollution via console.table properties (CVE-2022-21824)

Source

ALAS2022-2022-019

Amazon Linux 2022 Security Advisory: ALAS-2022-019
Advisory Release Date: 2022-01-29 00:35 Pacific
Advisory Updated Date: 2022-02-03 18:40 Pacific
Severity: Medium
Issue Overview:

A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531)

It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host. (CVE-2021-44532)

A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533)

Prototype pollution via console.table properties (CVE-2022-21824)


Affected Packages:

nodejs


Issue Correction:
Run dnf update --releasever=2022.0.20220202 nodejs to update your system.

New Packages:
aarch64:
    nodejs-libs-debuginfo-16.13.2-3.amzn2022.aarch64
    v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.aarch64
    nodejs-debuginfo-16.13.2-3.amzn2022.aarch64
    nodejs-devel-16.13.2-3.amzn2022.aarch64
    nodejs-full-i18n-16.13.2-3.amzn2022.aarch64
    nodejs-16.13.2-3.amzn2022.aarch64
    nodejs-libs-16.13.2-3.amzn2022.aarch64
    npm-8.1.2-1.16.13.2.3.amzn2022.aarch64
    nodejs-debugsource-16.13.2-3.amzn2022.aarch64

i686:
    nodejs-libs-debuginfo-16.13.2-3.amzn2022.i686
    nodejs-libs-16.13.2-3.amzn2022.i686
    nodejs-debugsource-16.13.2-3.amzn2022.i686
    nodejs-full-i18n-16.13.2-3.amzn2022.i686
    npm-8.1.2-1.16.13.2.3.amzn2022.i686
    nodejs-16.13.2-3.amzn2022.i686
    nodejs-devel-16.13.2-3.amzn2022.i686
    nodejs-debuginfo-16.13.2-3.amzn2022.i686
    v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.i686

noarch:
    nodejs-docs-16.13.2-3.amzn2022.noarch

src:
    nodejs-16.13.2-3.amzn2022.src

x86_64:
    nodejs-libs-debuginfo-16.13.2-3.amzn2022.x86_64
    nodejs-full-i18n-16.13.2-3.amzn2022.x86_64
    nodejs-debuginfo-16.13.2-3.amzn2022.x86_64
    v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.x86_64
    nodejs-16.13.2-3.amzn2022.x86_64
    nodejs-devel-16.13.2-3.amzn2022.x86_64
    nodejs-libs-16.13.2-3.amzn2022.x86_64
    npm-8.1.2-1.16.13.2.3.amzn2022.x86_64
    nodejs-debugsource-16.13.2-3.amzn2022.x86_64

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started