ALAS-2024-768

Amazon Linux 2023 Security Advisory: ALAS-2024-768
Advisory Release Date: 2024-11-13 12:28 Pacific
Advisory Updated Date: 2024-11-14 11:00 Pacific
Severity: Medium
Issue Overview:

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-read flag is used. This flaw arises from an inadequate permission model that fails to restrict file stats through the fs.lstat API. As a result, malicious actors can retrieve stats from files that they do not have explicit read access to. (CVE-2024-22018)

A security flaw in Node.js allows a bypass of network import restrictions.
By embedding non-network imports in data URLs, an attacker can execute arbitrary code, compromising system security.
Verified on various platforms, the vulnerability is mitigated by forbidding data URLs in network imports.
Exploiting this flaw can violate network import security, posing a risk to developers and servers. (CVE-2024-22020)

node-tar is a Tar for Node.js. node-tar prior to version 6.2.1 has no limit on the number of sub-folders created in the folder creation process. An attacker who generates a large number of sub-folders can consume memory on the system running node-tar and even crash the Node.js client within few seconds of running it using a path with too many sub-folders inside. Version 6.2.1 fixes this issue by preventing extraction in excessively deep sub-folders. (CVE-2024-28863)

A vulnerability has been identified in Node.js, affecting users of the experimental permission model when the --allow-fs-write flag is used.

Node.js Permission Model do not operate on file descriptors, however, operations such as fs.fchown or fs.fchmod can use a "read-only" file descriptor to change the owner and permissions of a file. (CVE-2024-36137)


Affected Packages:

nodejs20


Issue Correction:
Run dnf update nodejs20 --releasever 2023.6.20241111 to update your system.

New Packages:
aarch64:
    nodejs20-libs-debuginfo-20.18.0-1.amzn2023.0.2.aarch64
    nodejs20-debuginfo-20.18.0-1.amzn2023.0.2.aarch64
    nodejs20-full-i18n-20.18.0-1.amzn2023.0.2.aarch64
    nodejs20-devel-20.18.0-1.amzn2023.0.2.aarch64
    v8-11.3-devel-11.3.244.8-1.20.18.0.1.amzn2023.0.2.aarch64
    nodejs20-20.18.0-1.amzn2023.0.2.aarch64
    nodejs20-libs-20.18.0-1.amzn2023.0.2.aarch64
    nodejs20-npm-10.8.2-1.20.18.0.1.amzn2023.0.2.aarch64
    nodejs20-debugsource-20.18.0-1.amzn2023.0.2.aarch64

noarch:
    nodejs20-docs-20.18.0-1.amzn2023.0.2.noarch

src:
    nodejs20-20.18.0-1.amzn2023.0.2.src

x86_64:
    nodejs20-debuginfo-20.18.0-1.amzn2023.0.2.x86_64
    nodejs20-libs-debuginfo-20.18.0-1.amzn2023.0.2.x86_64
    nodejs20-full-i18n-20.18.0-1.amzn2023.0.2.x86_64
    v8-11.3-devel-11.3.244.8-1.20.18.0.1.amzn2023.0.2.x86_64
    nodejs20-20.18.0-1.amzn2023.0.2.x86_64
    nodejs20-libs-20.18.0-1.amzn2023.0.2.x86_64
    nodejs20-devel-20.18.0-1.amzn2023.0.2.x86_64
    nodejs20-npm-10.8.2-1.20.18.0.1.amzn2023.0.2.x86_64
    nodejs20-debugsource-20.18.0-1.amzn2023.0.2.x86_64

Additional References

Red Hat: CVE-2024-22018, CVE-2024-22020, CVE-2024-28863, CVE-2024-36137

Mitre: CVE-2024-22018, CVE-2024-22020, CVE-2024-28863, CVE-2024-36137