Tech Support
Documentation
Login
Contact Us
Several Node.js Vulnerabilities Fixed in Ubuntu
Rohan Timalsina
October 10, 2023 - TuxCare expert team
The recent Ubuntu security updates have addressed several Node.js vulnerabilities, including high and critical severity flaws in different Ubuntu versions. These issues could result in a denial of service or exposure to sensitive information when exploited by attackers. Therefore, updating Node.js packages is highly recommended to maintain the system security.
Node.js Vulnerabilities Patched in Ubuntu
CVE-2019-15604
CVSS 3.x Score: 7.5 High
Discovered by Rogier Schouten, this vulnerability was caused due to the incorrect handling of certain inputs by Node.js. When a user or an automated system opens a specially crafted input file, a remote attacker can use this issue to cause a denial of service. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS systems are only affected by this flaw.
Both Ubuntu versions have already reached the end of life, so the update is only available for Ubuntu Pro subscribers. Alternatively, you can use TuxCare’s Extended Lifecycle Support for automated vulnerability patches for up to four years after the end-of-life period.
CVE-2019-15605
CVSS 3.x Score: 9.8 Critical
Ethan Rubinson identified a vulnerability in Node.js where it mishandled certain inputs. A remote attacker may be able to use this flaw to gain sensitive information if they can trick a user or automated system into opening a specially crafted input file. Ubuntu 16.04 LTS and Ubuntu 18.04 LTS systems are only affected.
CVE-2019-15606
CVSS 3.x Score: 9.8 Critical
Alyssa Wilk found a flaw in Node.js that mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially enable a remote attacker to execute arbitrary code. This vulnerability was limited to Ubuntu 16.04 LTS and Ubuntu 18.04 LTS.
CVE-2020-8174
CVSS 3.x Score: 8.1 High
Tobias Niessen identified an issue in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially be exploited by a remote attacker to trigger a denial of service. Ubuntu 18.04 LTS and Ubuntu 20.04 LTS are only affected.
CVE-2020-8265 (CVSS 3.x Score: 8.1 High), CVE-2020-8287 (CVSS 3.x Score: 6.5 Medium)
A vulnerability was detected in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially lead to a denial of service when exploited by a remote attacker.
CVE-2021-22883
CVSS 3.x Score: 7.5 High
A vulnerability was identified in Node.js due to improper handling of certain inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially be exploited by a remote attacker to trigger a denial of service. It’s important to note that this issue was addressed and resolved in Ubuntu 20.04 LTS only.
CVE-2021-22884
CVSS 3.x Score: 7.5 High
Vít Šesták detected a vulnerability in Node.js where it mishandled specific inputs. If a user or an automated system were deceived into opening a specially crafted input file, it could potentially allow a remote attacker to execute arbitrary code. This issue was addressed in Ubuntu 20.04 LTS and Ubuntu 18.04 LTS.
Final Thoughts
All these vulnerabilities have been addressed in the new package versions, so you must upgrade your Node.js packages to avoid the security risks. Security is a continuous process, and it requires you to stay vigilant and secure the system with the latest security patches and best practices.
So, consider using an automatic solution like KernelCare Enterprise, which automatically applies all security updates without disrupting any services due to patching-related downtime. Its live patching method mitigates vulnerabilities while ensuring the 100% uptime of your servers by eliminating the need to reboot or schedule maintenance windows.
The sources for this article are available at USN-6380-1 and USN-6418-1.
