As BSI studies, an IT safety alert a few recognized Node.js vulnerability has obtained an replace. You can examine which merchandise are affected by safety holes right here at information.de.
Federal workplace for Security in Information Technology (BSI) has issued an replace on May 22, 2024 to a high-risk Node.js safety gap recognized on April 3, 2024. The safety vulnerability impacts Linux, MacOS Source Node.js purposes.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability could be discovered right here: Oracle Linux Security Advisory ELSA-2024-2910 (From 23 May 2024). Some helpful assets are listed later on this article.
Multiple Node.js vulnerabilities – Risk: average
Risk stage: 3 (average)
CVSS Base Score: 7.5
CVSS provisional rating: 6.5
Remote management: Ja
The Common Vulnerability Scoring System (CVSS) is used to evaluate the severity of safety vulnerabilities in laptop methods. The CVSS commonplace makes it potential to match potential or precise safety dangers based mostly on varied standards to be able to prioritize countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, person interplay) and its outcomes. Temporal scores additionally have in mind modifications over time within the danger state of affairs. The danger of the vulnerability talked about right here is classed as “average” in response to the CVSS with a base rating of seven.5.
Node.js Bug: Description of the assault
Node.js is a platform for growing community purposes.
A distant, unknown attacker may exploit a number of vulnerabilities in Node.js to bypass safety measures or trigger a denial of service.
Vulnerabilities are numbered for every product utilizing the CVE (Common Vulnerabilities and Exposures) reference system. CVE-2024-27982 and CVE-2024-27983.
Systems affected by the Node.js vulnerability at a look
Operating methods
Linux, MacOS X, UNIX, Windows
Products
IBM Business Automation Workflow 21.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 21.0.3 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 22.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.0 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.3 (cpe:/a:ibm:business_automation_workflow)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
Fedora Linux (cpe:/o:fedoraproject:fedora)
IBM Business Automation Workflow 20.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 20.0.0.2 (cpe:/a:ibm:business_automation_workflow)
SUSE Linux (cpe:/o:use:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
HCL BigFix (cpe:/a:hcltech:bigfix)
IBM Business Automation Workflow 22.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 23.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 23.0.2 (cpe:/a:ibm:business_automation_workflow)
RESF Rocky Linux (cpe:/o:resf:rocky_linux)
IBM App Connect Enterprise (cpe:/a:ibm:app_connect_enterprise)
Open Source Node.js llhttp Open Source Node.js undici Open Source Node.js undici
General steps for coping with IT vulnerabilities
- Users of affected methods ought to keep up-to-date. When safety holes are recognized, producers are required to repair them shortly by growing a patch or workaround. When new safety updates can be found, set up them instantly.
- For data, see the sources listed within the subsequent part. This usually incorporates extra details about the most recent model of the software program in query and the provision of safety patches or efficiency suggestions.
- If you could have any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to examine each time a producing firm makes a brand new safety replace out there.
Sources for updates, patches and workarounds
Here you will see that some hyperlinks with details about bug studies, safety fixes and workarounds.
Oracle Linux Security Advisory ELSA-2024-2910 vom 2024-05-23 (22.05.2024)
For extra data, see:
HCL Security Bulletin vom 2024-05-23 (22.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2910 vom 2024-05-20 (20.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2937 vom 2024-05-21 (20.05.2024)
For extra data, see:
Oracle Linux Security Advisory ELSA-2024-2853 vom 2024-05-17 (16.05.2024)
For extra data, see:
IBM Security Bulletin 7152858 vom 2024-05-16 (15.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2853 vom 2024-05-15 (15.05.2024)
For extra data, see:
Oracle Linux Security Advisory ELSA-2024-2779 vom 2024-05-15 (14.05.2024)
For extra data, see:
Oracle Linux Security Advisory ELSA-2024-2780 vom 2024-05-10 (12.05.2024)
For extra data, see:
IBM Security Bulletin 7150809 vom 2024-05-10 (09.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2778 vom 2024-05-09 (09.05.2024)
For extra data, see:
Rocky Linux Security Advisory RLSA-2024:2780 vom 2024-05-09 (09.05.2024)
For extra data, see:
Rocky Linux Security Advisory RLSA-2024:2779 vom 2024-05-09 (09.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2780 vom 2024-05-09 (09.05.2024)
For extra data, see:
Rocky Linux Security Advisory RLSA-2024:2778 vom 2024-05-09 (09.05.2024)
For extra data, see:
Red Hat Security Advisory RHSA-2024:2779 vom 2024-05-09 (09.05.2024)
For extra data, see:
Oracle Linux Security Advisory ELSA-2024-2778 vom 2024-05-09 (09.05.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1346-1 vom 2024-04-19 (21.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1355-1 vom 2024-04-19 (21.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1309-1 vom 2024-04-16 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1305-1 vom 2024-04-16 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1307-1 vom 2024-04-16 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1306-1 vom 2024-04-16 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1308-1 vom 2024-04-16 (16.04.2024)
For extra data, see:
SUSE Security Update SUSE-SU-2024:1301-1 vom 2024-04-16 (15.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-2FFE03EAA6 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-F83B123D63 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-8DEAADD998 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-5DC487EE89 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-2F15E6E876 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-E28CCC9C17 vom 2024-04-11 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-EPEL-2024-CE142428AF vom 2024-04-12 (11.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-91BB4ED803 vom 2024-04-08 (08.04.2024)
For extra data, see:
Fedora Security Advisory FEDORA-2024-25B66392E2 vom 2024-04-08 (08.04.2024)
For extra data, see:
Node.js Security Release April 2024 vom 2024-04-03 (03.04.2024)
For extra data, see:
Version historical past of this safety alert
This is model 13 of this Node.js IT Security Notice. This doc can be up to date as extra updates are introduced. You can see the modifications made utilizing the model historical past under.
April 3, 2024 – First model
04/08/2024 – New updates from Fedora added
April 11, 2024 – Added new updates from Fedora
April 15, 2024 – New updates from SUSE added
April 16, 2024 – New updates from SUSE added
April 21, 2024 – New updates from SUSE added
May 9, 2024 – New updates from Oracle Linux, Red Hat, Rocky Enterprise Software Foundation, IBM and IBM-APAR added
May 12, 2024 – New Oracle Linux updates added
May 14, 2024 – New Oracle Linux updates added
May 15, 2024 – New updates from Red Hat have been added
May 16, 2024 – New Oracle Linux updates added
May 20, 2024 – New updates from Red Hat have been added
05/22/2024 – New updates from HCL added
+++ Editorial notice: This doc relies on present BSI information and can be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you will see that scorching information, present movies and a direct line to the editorial workforce.
kns/roj/information.de