Amazon Linux 2022 Security Advisory: ALAS-2022-019
Advisory Release Date: 2022-01-29 00:35 Pacific
Advisory Updated Date: 2022-02-03 18:40 Pacific
FAQs regarding Amazon Linux ALAS/CVE Severity
A flaw was found in node.js where it accepted a certificate's Subject Alternative Names (SAN) entry, as opposed to what is specified by the HTTPS protocol. This flaw allows an active person-in-the-middle to forge a certificate and impersonate a trusted host. (CVE-2021-44531)
It was found that node.js did not safely read the x509 certificate generalName format properly, resulting in data injection. A certificate could use a specially crafted extension in order to be successfully validated, permitting an attacker to impersonate a trusted host. (CVE-2021-44532)
A flaw was found in node.js, where it did not properly handle multi-value Relative Distinguished Names. This flaw allows a specially crafted x509 certificate to produce a false multi-value Relative Distinguished Name and to inject arbitrary data in node.js libraries. (CVE-2021-44533)
Prototype pollution via console.table properties (CVE-2022-21824)
Affected Packages:
nodejs
Issue Correction:
Run dnf update --releasever=2022.0.20220202 nodejs to update your system.
aarch64:
nodejs-libs-debuginfo-16.13.2-3.amzn2022.aarch64
v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.aarch64
nodejs-debuginfo-16.13.2-3.amzn2022.aarch64
nodejs-devel-16.13.2-3.amzn2022.aarch64
nodejs-full-i18n-16.13.2-3.amzn2022.aarch64
nodejs-16.13.2-3.amzn2022.aarch64
nodejs-libs-16.13.2-3.amzn2022.aarch64
npm-8.1.2-1.16.13.2.3.amzn2022.aarch64
nodejs-debugsource-16.13.2-3.amzn2022.aarch64
noarch:
nodejs-docs-16.13.2-3.amzn2022.noarch
src:
nodejs-16.13.2-3.amzn2022.src
x86_64:
nodejs-libs-debuginfo-16.13.2-3.amzn2022.x86_64
nodejs-full-i18n-16.13.2-3.amzn2022.x86_64
nodejs-debuginfo-16.13.2-3.amzn2022.x86_64
v8-devel-9.4.146.24-1.16.13.2.3.amzn2022.x86_64
nodejs-16.13.2-3.amzn2022.x86_64
nodejs-devel-16.13.2-3.amzn2022.x86_64
nodejs-libs-16.13.2-3.amzn2022.x86_64
npm-8.1.2-1.16.13.2.3.amzn2022.x86_64
nodejs-debugsource-16.13.2-3.amzn2022.x86_64