Recent Node.js Vulnerabilities Fixed in Ubuntu
Several vulnerabilities within Node.js were identified, posing a significant threat to Ubuntu systems. These vulnerabilities could enable attackers to execute arbitrary code on compromised systems, potentially leading to severe consequences for affected users. To address these risks, the Ubuntu security team swiftly released security updates across multiple Ubuntu releases, including Ubuntu 22.04 LTS, Ubuntu 20.04 LTS, and Ubuntu 18.04.
Details of Node.js Vulnerabilities
CVE-2022-32212 (Cvss 3 Severity Score: 8.1 High)
Axel Chong discovered that Node.js mishandled certain inputs, opening the door for remote attackers to execute arbitrary code.
CVE-2022-32213, CVE-2022-32214, CVE-2022-32215 (Cvss 3 Severity Score: 6.5 Medium)
Zeyu Zhang uncovered vulnerabilities in Node.js that could be exploited via specially crafted input files. While these issues only affect Ubuntu 22.04 LTS, they underscore the importance of robust input validation and handling mechanisms.
CVE-2022-35256 (Cvss 3 Severity Score: 6.5 Medium)
Node.js exhibited a flaw in input handling as the llhttp parser within the http module of Node v18.7.0 fails to properly handle header fields lacking CLRF termination. Opening a specially crafted input file could enable remote attackers to execute arbitrary code, specifically on Ubuntu 22.04 LTS.
CVE-2022-43548 (Cvss 3 Severity Score: 8.1 High)
Another similar vulnerability was found in Node.js regarding input handling, impacting only Ubuntu 22.04 LTS. Opening a specially crafted input file could potentially allow remote attackers to execute arbitrary code.
Mitigating the Risks
The discovery of these vulnerabilities underscores the importance of proactive security measures. Users of Node.js are strongly advised to update their packages to the latest available versions promptly. By staying informed and proactive in applying updates, organizations can mitigate the risks posed by these vulnerabilities and ensure the ongoing security of their Node.js environments.
Ubuntu 18.04 already reached the end of life, so you can only receive security updates through Ubuntu pro subscription with extended security maintenance. However, it is not the cost-effective option if you need only patching. TuxCare’s Extended Lifecycle Support for Ubuntu 18.04 is a more affordable solution which provides five additional years for security patching after the end date. It ensures your Ubuntu 18.04 workloads remain secure while you can focus on planning a safe migration path.
Conclusion
While Node.js remains a powerful and versatile platform for building applications, its vulnerabilities serve as a reminder of the ever-present need for robust cybersecurity practices. By staying informed about emerging threats and promptly implementing security updates, users can safeguard their systems and mitigate the risks posed by security vulnerabilities.
Source: USN-6491-1