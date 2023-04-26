As the BSI reports, the IT security warning regarding a known vulnerability for Node.js has received an update. You can find out how affected users should behave here.
The Federal Office for Security in der Informationstechnik (BSI) published an update on April 25th, 2023 to a vulnerability with several vulnerabilities for Node.js that became known on February 17th, 2023. The operating systems UNIX, Linux and Windows as well as the products Debian Linux, IBM DB2, Red Hat Enterprise Linux, Fedora Linux, SUSE Linux, Oracle Linux and Open Source Node.js are affected by the vulnerability.
The latest manufacturer recommendations regarding updates, workarounds and security patches for this vulnerability can be found here: IBM Security Bulletin 6985689 (Status: 04/24/2023). Other useful links are listed later in this article.
Multiple vulnerabilities for Node.js – Risk: medium
Risk level: 3 (medium)
CVSS Base Score: 7,5
CVSS Temporal Score: 6,5
Remoteangriff: Ja
The Common Vulnerability Scoring System (CVSS) is used to assess the vulnerability of computer systems. The CVSS standard makes it possible to compare potential or actual security vulnerabilities based on various criteria in order to better prioritize countermeasures. The attributes “none”, “low”, “medium”, “high” and “critical” are used for the severity of a vulnerability. The base score assesses the prerequisites for an attack (including authentication, complexity, privileges, user interaction) and its consequences. The Temporal Score also takes into account changes over time with regard to the risk situation. The severity of the vulnerability discussed here is rated as “medium” according to the CVSS with a base score of 7.5.
Node.js Bug: Vulnerabilities and CVE Numbers
Node.js is a platform for developing network applications.
A remote, anonymous, or authenticated attacker could exploit multiple vulnerabilities in Node.js to bypass security measures, disclose sensitive information, and cause a denial of service condition.
The vulnerability is identified with the unique CVE serial numbers (Common Vulnerabilities and Exposures) CVE-2023-23918, CVE-2023-23936, CVE-2023-23919, CVE-2023-24807 und CVE-2023-23920 traded.
Systems affected by the Node.js vulnerability at a glance
operating systems
UNIX, Linux, Windows
Products
Debian Linux (cpe:/o:debian:debian_linux)
IBM DB2 (cpe:/a:ibm:db2)
Red Hat Enterprise Linux (cpe:/o:redhat:enterprise_linux)
Fedora Linux (cpe:/o:fedoraproject:fedora)
SUSE Linux (cpe:/o:suse:suse_linux)
Oracle Linux (cpe:/o:oracle:linux)
Open Source Node.js < 14.21.3 (cpe:/a:nodejs:nodejs)
Open Source Node.js < 16.19.1 (cpe:/a:nodejs:nodejs)
Open Source Node.js < 18.14.1 (cpe:/a:nodejs:nodejs)
Open Source Node.js < 19.6.1 (cpe:/a:nodejs:nodejs)
General measures for dealing with IT security gaps
-
Users of the affected systems should keep them up to date. When security vulnerabilities become known, manufacturers are required to remedy them as quickly as possible by developing a patch or a workaround. If security patches are available, install them promptly.
-
For information, consult the sources listed in the next section. These often contain further information on the latest version of the software in question and the availability of security patches or tips on workarounds.
-
If you have any further questions or are uncertain, please contact your responsible administrator. IT security officers should regularly check when the IT security warning affected manufacturers makes a new security update available.
Sources for updates, patches and workarounds
Here you will find further links with information about bug reports, security fixes and workarounds.
Version history of this security alert
This is the 15th version of this IT security notice for Node.js. As further updates are announced, this text will be updated. You can understand the changes made using the following version history.
02/17/2023 – Initial version
02/27/2023 – Added new updates from Debian
03/03/2023 – Added new updates of Fedora
03/06/2023 – Added new updates from SUSE
03/09/2023 – Added new updates from SUSE
03/14/2023 – Added new updates from SUSE
03/15/2023 – Added new updates from SUSE
03/31/2023 – Added new updates of Fedora
4/3/2023 – Added new updates from Red Hat
04/04/2023 – Added new updates of Fedora
04/05/2023 – Added new updates of Oracle Linux
04/11/2023 – Added new updates from Red Hat
04/13/2023 – Added new updates from Red Hat
04/14/2023 – Added new updates of Oracle Linux
04/25/2023 – Added new updates from IBM
