SB2022011847 - SUSE update for nodejs12

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Improper Certificate Validation (CVE-ID: CVE-2021-44531)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to insufficient validation of URI Subject Alternative Names. Node.js accepts arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type. A remote attacker can bypass name-constrained intermediates and perform spoofing attack.

2) Improper validation of certificate with host mismatch (CVE-ID: CVE-2021-44532)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.

3) Improper Certificate Validation (CVE-ID: CVE-2021-44533)

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificate subject and issuer fields. A remote attacker can create a certificate with specially crafted multi-value Relative Distinguished Names and perform spoofing attack.

4) Prototype pollution (CVE-ID: CVE-2022-21824)

The vulnerability allows a remote attacker to perform a denial of service attack.

The vulnerability exists due to the formatting logic of the console.table() function. A remote attacker can send a specially crafted request and assign an empty string to numerical keys of the object prototype.

Remediation

Install update from vendor's website.

References

• https://www.suse.com/support/update/announcement/2022/suse-su-20220113-1/