Bug 2230956 (CVE-2023-32559)
| Summary: | CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Mauro Matteo Cascella <mcascell> |
| Component: | vulnerability | Assignee: | Nobody <nobody> |
| Status: | NEW --- | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | hhorak, jorton, nodejs-maint |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: |
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2233400, 2233403, 2230972, 2230973, 2230974, 2230975, 2233397, 2233398, 2233399, 2233401, 2233402, 2233404, 2233406, 2233407, 2233897, 2233898, 2234407, 2234412, 2236095, 2236100, 2236141 | ||
| Bug Blocks: | 2230962 | ||
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2233397] Affects: fedora-37 [bug 2233402] Created nodejs16 tracking bugs for this issue: Affects: fedora-38 [bug 2233398] Created nodejs18 tracking bugs for this issue: Affects: fedora-38 [bug 2233401] Created nodejs20 tracking bugs for this issue: Affects: fedora-38 [bug 2233406] Created nodejs:13/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233400] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233404] Created nodejs:16-epel/nodejs tracking bugs for this issue: Affects: epel-8 [bug 2233403] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-38 [bug 2233407] Created nodejs:18/nodejs tracking bugs for this issue: Affects: fedora-37 [bug 2233399] This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362 This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533 This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532 |
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Security Advisory: https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559