Red Hat Enterprise Linux 8 update for the nodejs:18 module



Published: 2022-12-06
Risk Medium
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2022-3517
CVE-2022-43548
CWE-ID CWE-185
CWE-350
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe
Red Hat Enterprise Linux for ARM 64
Operating systems & Components / Operating system

Red Hat Enterprise Linux for Power, little endian
Operating systems & Components / Operating system

Red Hat Enterprise Linux for IBM z Systems
Operating systems & Components / Operating system

Red Hat Enterprise Linux for x86_64
Operating systems & Components / Operating system

Vendor Red Hat Inc.

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Incorrect Regular Expression

EUVDB-ID: #VU69942

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-3517

CWE-ID: CWE-185 - Incorrect Regular Expression

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient input validation when processing regular expressions. A remote attacker can pass specially crafted data to the application and perform regular expression denial of service (ReDos) attack.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0


CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:8833

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

2) Reliance on Reverse DNS Resolution for a Security-Critical Action

EUVDB-ID: #VU69354

Risk: Medium

CVSSv3.1:

CVE-ID: CVE-2022-43548

CWE-ID: CWE-350 - Reliance on Reverse DNS Resolution for a Security-Critical Action

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform DNS rebinding attacks.

The vulnerability exists due to improper validation of octal IP address within the Node.js rebinding protector for --inspec. A remote attacker can resolve the invalid octal address via DNS. When combined with an active --inspect session, such as when using VSCode, an attacker can perform DNS rebinding and execute arbitrary code in client's browser.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Red Hat Enterprise Linux for ARM 64: 8

Red Hat Enterprise Linux for Power, little endian: 8

Red Hat Enterprise Linux for IBM z Systems: 8

Red Hat Enterprise Linux for x86_64: 8.0


CPE2.3 External links

http://access.redhat.com/errata/RHSA-2022:8833

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?



###SIDEBAR###