Wichtiges Sicherheitsupdate für Nvidias KI-System DGX A100 erschienen

Vulnerabilities in node.js allow code smuggling

Several security gaps in the JavaScript runtime environment node.js endanger users: Attackers could smuggle malicious code into the older versions from afar. The developers released bug-fixed versions for the weekend. Developers and administrators of affected web applications should install the update quickly.

The vulnerability with the highest severity is based on bypassing bug fixes for a security problem that was already fixed last year (CVE-2021-22884) – a common flaw, according to Google, half of the zero-day gaps on it. The check on IsAllowedHost Attackers can bypass because the feature IsIPAddress does not correctly check whether an address is valid or not.

Attackers can trigger a DNS request from the web browser by specifying invalid values ​​(the developers give as an example as the IP). If they are in a man-in-the-middle position or control the DNS server, they could forge DNS responses to trigger a rebind attack and connect to the WebSocket debugger – and thus execute arbitrary code (CVE-2022 -32212, no CVSS score yet, risk “high“).

In addition, node.js could be injected into Windows with manipulated libraries if OpenSSL is installed and a configuration file is in the path C:Program FilesCommon FilesSSLopenssl.cnf exists. In that case searches node.exe after providers.dll in the Windows DLL search path and would include a library deposited by attackers in these paths (CVE-2022-32223, no CVSS score yet, high). The 18 branch of node.js is not affected by the vulnerability.

In their blog post, the developers of node.js classify the other vulnerabilities as medium risk (CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222 and CVE-2022-2097) . With the new versions node.js 18.5.0, 16.16.0 (LTS) and 14.20.0 (LTS) the project closes these security gaps. Administrators should apply the updates expeditiously.

MacBook Air M2: Deteriorated availability, first benchmarks and colorful cables Previous post MacBook Air M2: Deteriorated availability, first benchmarks and colorful cables
Heise's webinar: Shells & Backdoors Next post Heise’s webinar: Shells & Backdoors