Tech Support
Documentation
Login
Contact Us
Addressing Node.js Vulnerabilities in Ubuntu
Rohan Timalsina
June 25, 2024 - TuxCare expert team
Node.js is an open-source, cross-platform JavaScript runtime environment built on the powerful V8 engine from Chrome. It allows you to run JavaScript code outside a web browser, making it popular for building real-time applications and data streaming services. However, like any software, it is not immune to security vulnerabilities. Recently, multiple vulnerabilities were discovered in Node.js that could lead to the bypass of policy mechanisms or privilege escalation. Fortunately, these vulnerabilities have been addressed in the recent Ubuntu security updates.
Node.js Vulnerabilities Fixed in the Recent Update
CVE-2023-32002
The Module._load() function was found to be capable of bypassing the policy mechanism and requiring modules outside the definitions provided in the policy.json file for a given module. This vulnerability impacts all users who utilize the policy mechanism across all active Node.js release lines: 16.x, 18.x, and 20.x. An attacker could exploit this vulnerability by tricking a user or an automated system into opening a specially crafted input file, thereby bypassing the policy mechanism.
CVE-2023-32006
Similar to CVE-2023-32002, the module.constructor.createRequire() function can also bypass the policy mechanism, allowing the requirement of modules outside the policy.json definitions. This vulnerability affects all users utilizing the policy mechanism in Node.js release lines 16.x, 18.x, and 20.x. If a user or automated system opens a specially crafted input file, a remote attacker could exploit this issue to bypass the policy mechanism.
CVE-2023-32559
A privilege escalation vulnerability exists in Node.js, affecting all active release lines (16.x, 18.x, and 20.x). The deprecated API process.binding() can be used to bypass the policy mechanism by requiring internal modules, ultimately exploiting process.binding('spawn_sync') to run arbitrary code outside the limits defined in a policy.json file.
CVE-2023-30590
Node.js documentation incorrectly described the generateKeys() function, leading to potential security issues in applications using these APIs. This vulnerability, while not directly exploitable like the others, could cause developers to implement insecure solutions based on incorrect documentation.
CVE-2023-23920
Node.js was found to handle certain inputs incorrectly, leading to an untrusted search path vulnerability. This flaw could allow an attacker to search for and potentially load ICU data while running with elevated privileges.
Mitigating the Risks
The Ubuntu security team has released updates to address Node.js vulnerabilities in various versions of Ubuntu, including 23.10, 22.04 LTS, 20.04 LTS, and 18.04 ESM. To safeguard your Node.js environment, it is crucial to update your Node.js installation to the latest version available. Ensuring your Node.js installation is up-to-date not only protects against these specific vulnerabilities but also against any future discovered security issues.
Conclusion
Node.js is a powerful tool for developers, but like any technology, it requires regular maintenance and updates to remain secure. The recent vulnerabilities discovered and patched by the Ubuntu security team highlight the importance of staying vigilant and proactive in software management. By promptly updating your Node.js installations, you can protect your applications and systems from potential exploitation and maintain a secure and resilient system.
Additionally, consider using live patching to protect your Ubuntu systems without downtime. Unlike traditional patching methods, live patching allows critical security patches to be applied to a running kernel without any reboot. This approach results in minimal downtime for your system, ensuring its continued operation while simultaneously improving its security posture.
TuxCare’s KernelCare Enterprise offers automated live patching for all major Linux distributions, including Ubuntu, Debian, RHEL, CentOS, AlmaLinux, Rocky Linux, Oracle Linux, Amazon Linux, and more.
Send patching-related questions to a TuxCare security expert to learn about modernizing your Linux patching approach.
Source: USN-6822-1, USN-6735-1
