As BSI reviews, an IT safety alert a few recognized Node.js vulnerability has obtained an replace. You can learn the outline of the safety hole together with the newest updates and details about the affected Linux, UNIX and Windows working programs and merchandise right here.
Federal workplace for Security in Information Technology (BSI) has issued an replace on May 22, 2024 for the Node.js safety vulnerability recognized on April 10, 2024. The safety vulnerability impacts Linux, UNIX and Windows working programs and merchandise of -IBM Business Automation Workflow, Fedora Linux, HCL BigFix and open supply Node.js.
The newest producer suggestions for updates, workarounds and safety patches for this vulnerability will be discovered right here: HCL Safety Report (From 23 May 2024). Some helpful sources are listed later on this article.
Security recommendation for Node.js – Risk: average
Risk degree: 4 (average)
CVSS Base Score: 7.8
CVSS provisional rating: 6,8
Remote assault: No
The Common Vulnerability Scoring System (CVSS) is used to evaluate the vulnerability of laptop programs. The CVSS normal makes it doable to check potential or precise safety dangers based mostly on numerous metrics to create a precedence record for countermeasures. The attributes “none”, “low”, “medium”, “excessive” and “extreme” are used to find out the severity ranges of vulnerability. The Base Score evaluates the necessities of an assault (together with authentication, complexity, privileges, consumer interplay) and its outcomes. Temporal scores additionally bear in mind modifications over time within the danger scenario. According to CVSS, the severity of the present vulnerability is rated as “average” with a base rating of seven.8.
Node.js Bug: Vulnerability permits code execution
Node.js is a platform for growing community purposes.
An area attacker might exploit a vulnerability in Node.js to execute arbitrary code.
Vulnerabilities had been labeled utilizing the CVE (Common Vulnerabilities and Exposures) reference system for every serial quantity CVE-2024-27980.
Systems affected by the Node.js vulnerability at a look
Operating programs
Linux, UNIX, Windows
Products
IBM Business Automation Workflow 21.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 21.0.3 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 22.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.0 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 18.0.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 19.0.0.3 (cpe:/a:ibm:business_automation_workflow)
Fedora Linux (cpe:/o:fedoraproject:fedora)
IBM Business Automation Workflow 20.0.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 20.0.0.2 (cpe:/a:ibm:business_automation_workflow)
HCL BigFix (cpe:/a:hcltech:bigfix)
IBM Business Automation Workflow 22.0.2 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 23.0.1 (cpe:/a:ibm:business_automation_workflow)
IBM Business Automation Workflow 23.0.2 (cpe:/a:ibm:business_automation_workflow)
Open Source Node.js Open Source Node.js Open Source Node.js
General suggestions for addressing IT safety gaps
- Users of affected programs ought to keep up-to-date. When safety holes are recognized, producers are required to repair them shortly by growing a patch or workaround. If safety patches can be found, set up them instantly.
- For info, see the sources listed within the subsequent part. This typically comprises further details about the newest model of the software program in query and the provision of safety patches or efficiency ideas.
- If you have got any additional questions or uncertainties, please contact your accountable administrator. IT safety managers ought to often verify the required sources to see if a brand new safety replace is offered.
Manufacturer details about updates, patches and workarounds
Here you can find some hyperlinks with details about bug reviews, safety fixes and workarounds.
HCL Security Bulletin vom 2024-05-23 (22.05.2024)
For extra info, see:
IBM Security Bulletin 7150809 vom 2024-05-10 (09.05.2024)
For extra info, see:
Fedora Security Advisory FEDORA-2024-2C52524694 vom 2024-04-11 (11.04.2024)
For extra info, see:
Fedora Security Advisory FEDORA-2024-8D548B8C96 vom 2024-04-11 (11.04.2024)
For extra info, see:
OSS Mailing List as of 2024-04-10 (10.04.2024)
For extra info, see:
Node.JS Security Release vom 2024-04-10 (10.04.2024)
For extra info, see:
Version historical past of this safety alert
This is model 4 of this IT safety discover for Node.js. If additional updates are introduced, this doc can be up to date. You can see the modifications made utilizing the model historical past beneath.
April 10, 2024 – First model
April 11, 2024 – Added new updates from Fedora
May 9, 2024 – New updates from IBM and IBM-APAR added
05/22/2024 – New updates from HCL added
+++ Editorial be aware: This doc is predicated on present BSI information and can be up to date in a data-driven method relying on the standing of the alert. We welcome suggestions and feedback at [email protected]. +++
observe News.de you might be right here Facebook, Twitter, Pinterest once more YouTube? Here you can find sizzling information, present movies and a direct line to the editorial crew.
kns/roj/information.de