Several Node.js Vulnerabilities Fixed in Ubuntu
The recent Ubuntu security updates have addressed several Node.js vulnerabilities, including high and critical severity flaws in different Ubuntu versions. These issues could result in a denial of service or exposure to sensitive information when exploited by attackers. Therefore, updating Node.js packages is highly recommended to maintain the system security.
Node.js Vulnerabilities Patched in Ubuntu
CVE-2019-15604
CVSS 3.x Score: 7.5 High
Discovered by Rogier Schouten, this vulnerability was caused due to the incorrect handling of certain inputs by Node.js. When a user or an automated system opens a specially crafted input file, a remote attacker can use this issue to cause a denial of service. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS systems are only affected by this flaw.
Both Ubuntu versions have already reached the end of life, so the update is only available for Ubuntu Pro subscribers. Alternatively, you can use TuxCare’s Extended Lifecycle Support for automated vulnerability patches for up to four years after the end-of-life period.
CVE-2019-15605
CVSS 3.x Score: 9.8 Critical
Ethan Rubinson identified a vulnerability in Node.js where it mishandled certain inputs. A remote attacker may be able to use this flaw to gain sensitive information if they can trick a user or automated system into opening a specially crafted input file. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS systems are only affected.
CVE-2019-15606
CVSS 3.x Score: 9.8 Critical
Alyssa Wilk found a flaw in Node.js that mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially enable a remote attacker to execute arbitrary code. This vulnerability was limited to Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
CVE-2020-8174
CVSS 3.x Score: 8.1 High
Tobias Niessen identified an issue in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially be exploited by a remote attacker to trigger a denial of service. Ubuntu 18.04 LTS and Ubuntu 20.04 LTS are only affected.
CVE-2020-8265 (CVSS 3.x Score: 8.1 High), CVE-2020-8287 (CVSS 3.x Score: 6.5 Medium)
A vulnerability was detected in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially lead to a denial of service when exploited by a remote attacker.
CVE-2021-22883
CVSS 3.x Score: 7.5 High
A vulnerability was identified in Node.js due to improper handling of certain inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially be exploited by a remote attacker to trigger a denial of service. It’s important to note that this issue was addressed and resolved in Ubuntu 20.04 LTS only.
CVE-2021-22884
CVSS 3.x Score: 7.5 High
Vít Šesták detected a vulnerability in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially allow a remote attacker to execute arbitrary code. This issue was addressed in Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
Final Thoughts
All these vulnerabilities have been addressed in the new package versions, so you must upgrade your Node.js packages to avoid the security risks. Security is a continuous process, and it requires you to stay vigilant and secure the system with the latest security patches and best practices.
Fortify your Ubuntu system with Linux kernel live patching. Utilize automated patching solutions like KernelCare Enterprise, which automatically applies important security updates to the Linux kernel without the need for a system reboot, ensuring continuous operation and minimizing downtime. KernelCare supports all major Linux distributions, including Ubuntu, Debian, AlmaLinux, RHEL, CentOS, Rocky Linux, CloudLinux, Oracle Linux, Amazon Linux, and more.
The sources for this article are available at USN-6380-1 and USN-6418-1.