Bug 2219824 (CVE-2023-30581)

Summary: CVE-2023-30581 nodejs: mainModule.proto bypass experimental policy mechanism
Product: [Other] Security Response Reporter: Dhananjay Arunesh <darunesh>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: hhorak, jorton, jstanek, nodejs-maint, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
A vulnerability has been discovered in Node.js, where the use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-08 13:15:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2219827, 2219828, 2219825, 2219826, 2220685, 2220686, 2220687, 2220688, 2220689, 2220690, 2220691, 2220692, 2223314, 2223336, 2223337, 2223631, 2223650, 2223680, 2223681    
Bug Blocks: 2217661    

Description Dhananjay Arunesh 2023-07-05 14:48:47 UTC 
The use of proto in process.mainModule.proto.require() can bypass the policy mechanism and require modules outside of the policy.json definition.

References:
https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 Dhananjay Arunesh 2023-07-05 14:49:30 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2219828]
Affects: fedora-all [bug 2219826]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2219825]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2219827]
Comment 2 Dhananjay Arunesh 2023-07-06 04:48:23 UTC 
Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220686]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2220685]
Comment 5 Jan Staněk 2023-07-11 15:03:43 UTC 
Upstream fix: https://github.com/nodejs/node/commit/daaa43ed967626b997439f3c708aae0925f8d85a
Comment 6 errata-xmlrpc 2023-07-31 09:32:28 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4331 https://access.redhat.com/errata/RHSA-2023:4331
Comment 7 errata-xmlrpc 2023-07-31 09:32:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:4330 https://access.redhat.com/errata/RHSA-2023:4330
Comment 8 errata-xmlrpc 2023-08-08 08:37:52 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4536 https://access.redhat.com/errata/RHSA-2023:4536
Comment 9 errata-xmlrpc 2023-08-08 08:38:01 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:4537 https://access.redhat.com/errata/RHSA-2023:4537
Comment 10 Product Security DevOps Team 2023-08-08 13:15:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2023-30581
Comment 11 errata-xmlrpc 2023-09-26 14:50:36 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361
Comment 12 errata-xmlrpc 2023-10-09 10:26:44 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533