ALAS2023-2023-304

Amazon Linux 2023 Security Advisory: ALAS-2023-304
Advisory Release Date: 2023-08-17 11:20 Pacific
Advisory Updated Date: 2023-08-23 22:30 Pacific
Severity: Important
Issue Overview:

The use of Module._load() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. (CVE-2023-32002)

The use of module.constructor.createRequire() can bypass the policy mechanism and require modules outside of the policy.json definition for a given module.

Please note that at the time this CVE was issued, the policy mechanism is an experimental feature of Node.js.

Impacts:

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. (CVE-2023-32006)

The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file.

Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js.

Impacts

This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. (CVE-2023-32559)


Affected Packages:

nodejs


Issue Correction:
Run dnf update nodejs --releasever 2023.1.20230823 to update your system.

New Packages:
aarch64:
    nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.10.aarch64
    nodejs-full-i18n-18.12.1-1.amzn2023.0.10.aarch64
    nodejs-libs-18.12.1-1.amzn2023.0.10.aarch64
    nodejs-devel-18.12.1-1.amzn2023.0.10.aarch64
    nodejs-18.12.1-1.amzn2023.0.10.aarch64
    nodejs-debuginfo-18.12.1-1.amzn2023.0.10.aarch64
    v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.10.aarch64
    npm-8.19.2-1.18.12.1.1.amzn2023.0.10.aarch64
    nodejs-debugsource-18.12.1-1.amzn2023.0.10.aarch64

noarch:
    nodejs-docs-18.12.1-1.amzn2023.0.10.noarch

src:
    nodejs-18.12.1-1.amzn2023.0.10.src

x86_64:
    nodejs-libs-debuginfo-18.12.1-1.amzn2023.0.10.x86_64
    v8-devel-10.2.154.15-1.18.12.1.1.amzn2023.0.10.x86_64
    nodejs-full-i18n-18.12.1-1.amzn2023.0.10.x86_64
    nodejs-libs-18.12.1-1.amzn2023.0.10.x86_64
    nodejs-debuginfo-18.12.1-1.amzn2023.0.10.x86_64
    nodejs-devel-18.12.1-1.amzn2023.0.10.x86_64
    nodejs-18.12.1-1.amzn2023.0.10.x86_64
    npm-8.19.2-1.18.12.1.1.amzn2023.0.10.x86_64
    nodejs-debugsource-18.12.1-1.amzn2023.0.10.x86_64

Additional References

Red Hat: CVE-2023-32002, CVE-2023-32006, CVE-2023-32559

Mitre: CVE-2023-32002, CVE-2023-32006, CVE-2023-32559