Multiple Node.js Vulnerabilities Fixed in Ubuntu
Ubuntu 22.04 LTS has received security updates addressing several Node.js vulnerabilities that could be exploited to cause a denial of service or arbitrary code execution. It is crucial to keep your Node.js packages up to date to avoid falling victim to these vulnerabilities.
Node.js Vulnerabilities in Ubuntu
CVE-2022-0778 (Cvss 3 Severity Score: 7.5)
Tavis Ormandy found an issue in how Node.js deals with certain inputs. If a user or an automated system accidentally opens a file that’s been specially crafted by a malicious actor, it could lead to a situation where a remote attacker might be able to mess with your Node.js and cause a denial of service. In simple terms, it means they could disrupt your Node.js operation.
CVE-2022-1292 (Cvss 3 Severity Score: 9.8)
Elison Niven identified a flaw in how Node.js deals with certain inputs. Suppose a user or an automated system accidentally opens a file that’s been specially crafted by a malicious actor. In that case, it opens the door for a potential scenario where malicious attackers could run any code they want.
CVE-2022-2068 (Cvss 3 Severity Score: 9.8)
This is another similar vulnerability where Node.js didn’t handle certain inputs correctly. Again, if a user or an automated system accidentally opens a specially crafted file, a remote attacker could potentially use this opening to run any code they want on your system. It was discovered by Chancen and Daniel Fiala.
CVE-2022-2097 (Cvss 3 Severity Score: 5.3)
Alex Chernyakhovsky also found a similar issue where Node.js mishandled certain inputs. In the event that a user or an automated system is tricked into opening a specially crafted input file, it might create an opportunity for a remote attacker to possibly execute any code they desire.
That’s all about discoveries and fixes of Node.js vulnerabilities in Ubuntu 22.04 LTS. It is necessary to update Node.js packages to newer versions to address the security issues and avoid potential risks. Also, these vulnerabilities are initially OpenSSL vulnerabilities and have been fixed earlier in OpenSSL packages.
The source of this story is available at USN-6457-1.