SB2021092227 - SUSE update for nodejs14
Published: September 22, 2021
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 5 secuirty vulnerabilities.
1) Use-after-free (CVE-ID: CVE-2021-22930)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error when processing HTTP/2 stream canceling requests. A remote attacker can send a specially crafted HTTP/2 request, trigger a use-after-free error and execute arbitrary code on the system.
Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable system.
2) Improper input validation (CVE-ID: CVE-2021-22931)
The vulnerability allows a remote non-authenticated attacker to execute arbitrary code.
The vulnerability exists due to improper input validation within the Cluster: General (Node.js) component in MySQL Cluster. A remote non-authenticated attacker can exploit this vulnerability to execute arbitrary code.
3) Improper Certificate Validation (CVE-ID: CVE-2021-22939)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to incomplete validation of rejectUnauthorized parameter. A remote attacker can cause the connections to servers with an expired certificate would have been accepted.
4) Use-after-free (CVE-ID: CVE-2021-22940)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error. A remote attacker can change process behavior.
5) Input validation error (CVE-ID: CVE-2021-3672)
The vulnerability allows a remote attacker to hijack domains.
The vulnerability exists due to insufficient validation of host names, returned by the DNS server. A remote attacker can pass specially crafted input to the application and perform domain hijacking.
Remediation
Install update from vendor's website.