USN-6672-1: Node.js vulnerabilities

Releases

• Ubuntu 23.10
• Ubuntu 22.04 LTS
• Ubuntu 20.04 LTS

Packages

• nodejs - An open-source, cross-platform JavaScript runtime environment.

Details

Morgan Jones discovered that Node.js incorrectly handled certain inputs that
leads to false positive errors during some cryptographic operations. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 23.10. (CVE-2023-23919)

It was discovered that Node.js incorrectly handled certain inputs leaded to a
untrusted search path vulnerability. If a user or an automated system were
tricked into opening a specially crafted input file, a remote attacker could
possibly use this issue to perform a privilege escalation. (CVE-2023-23920)

Matt Caswell discovered that Node.js incorrectly handled certain inputs with
specially crafted ASN.1 object identifiers or data containing them. If a user
or an automated system were tricked into opening a specially crafted input
file, a remote attacker could possibly use this issue to cause a denial of
service. This issue only affected Ubuntu 22.04 LTS. (CVE-2023-2650)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 23.10

• libnode108 - 18.13.0+dfsg1-1ubuntu2.1
• nodejs - 18.13.0+dfsg1-1ubuntu2.1

Ubuntu 22.04

• libnode72 - 12.22.9~dfsg-1ubuntu3.4
• nodejs - 12.22.9~dfsg-1ubuntu3.4

Ubuntu 20.04

• libnode64 - 10.19.0~dfsg-3ubuntu1.5
• nodejs - 10.19.0~dfsg-3ubuntu1.5

In general, a standard system update will make all the necessary changes.

References

• CVE-2023-23919
• CVE-2023-23920
• CVE-2023-2650

Related notices

• USN-6119-1: openssl1.0, libssl3, libssl-dev, openssl, libssl1.1, libssl-doc, libssl1.0.0, libssl1.0-dev
• USN-6188-1: openssl, libssl1.0.0, libssl-dev, libssl-doc