Bug 2230956 (CVE-2023-32559) - CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding
Summary: CVE-2023-32559 nodejs: Permissions policies can be bypassed via process.binding
Keywords:
Status: NEW
Alias: CVE-2023-32559
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Nobody
QA Contact:
URL:
Whiteboard:
Depends On: 2233400 2233403 2230972 2230973 2230974 2230975 2233397 2233398 2233399 2233401 2233402 2233404 2233406 2233407 2233897 2233898 2234407 2234412 2236095 2236100 2236141
Blocks: 2230962
TreeView+ depends on / blocked
 
Reported: 2023-08-10 10:06 UTC by Mauro Matteo Cascella
Modified: 2024-02-01 09:01 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in NodeJS. This security issue occurs as the use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') to run arbitrary code outside of the limits defined in a policy.json file.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2023:5402 0 None None None 2023-09-28 15:26:49 UTC
Red Hat Product Errata RHBA-2023:5404 0 None None None 2023-09-28 18:27:21 UTC
Red Hat Product Errata RHBA-2023:5409 0 None None None 2023-10-02 08:11:41 UTC
Red Hat Product Errata RHBA-2023:5420 0 None None None 2023-10-03 15:11:30 UTC
Red Hat Product Errata RHBA-2023:5680 0 None None None 2023-10-12 08:12:00 UTC
Red Hat Product Errata RHBA-2023:5779 0 None None None 2023-10-17 09:26:55 UTC
Red Hat Product Errata RHSA-2023:5360 0 None None None 2023-09-26 14:52:10 UTC
Red Hat Product Errata RHSA-2023:5361 0 None None None 2023-09-26 14:50:42 UTC
Red Hat Product Errata RHSA-2023:5362 0 None None None 2023-09-26 14:58:50 UTC
Red Hat Product Errata RHSA-2023:5363 0 None None None 2023-09-26 14:51:39 UTC
Red Hat Product Errata RHSA-2023:5532 0 None None None 2023-10-09 10:26:53 UTC
Red Hat Product Errata RHSA-2023:5533 0 None None None 2023-10-09 10:27:00 UTC

Description Mauro Matteo Cascella 2023-08-10 10:06:05 UTC
The use of the deprecated API process.binding() can bypass the policy mechanism by requiring internal modules and eventually take advantage of process.binding('spawn_sync') run arbitrary code, outside of the limits defined in a policy.json file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x.

Security Advisory:
https://nodejs.org/en/blog/vulnerability/august-2023-security-releases#permissions-policies-can-be-bypassed-via-processbinding-mediumcve-2023-32559

Comment 2 Sandipan Roy 2023-08-22 07:16:16 UTC
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 2233397]
Affects: fedora-37 [bug 2233402]


Created nodejs16 tracking bugs for this issue:

Affects: fedora-38 [bug 2233398]


Created nodejs18 tracking bugs for this issue:

Affects: fedora-38 [bug 2233401]


Created nodejs20 tracking bugs for this issue:

Affects: fedora-38 [bug 2233406]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233400]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233404]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-8 [bug 2233403]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-38 [bug 2233407]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-37 [bug 2233399]

Comment 3 errata-xmlrpc 2023-09-26 14:50:41 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:5361 https://access.redhat.com/errata/RHSA-2023:5361

Comment 4 errata-xmlrpc 2023-09-26 14:51:38 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5363 https://access.redhat.com/errata/RHSA-2023:5363

Comment 5 errata-xmlrpc 2023-09-26 14:52:08 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5360 https://access.redhat.com/errata/RHSA-2023:5360

Comment 6 errata-xmlrpc 2023-09-26 14:58:49 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:5362 https://access.redhat.com/errata/RHSA-2023:5362

Comment 7 errata-xmlrpc 2023-10-09 10:26:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:5533 https://access.redhat.com/errata/RHSA-2023:5533

Comment 8 errata-xmlrpc 2023-10-09 10:26:52 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:5532 https://access.redhat.com/errata/RHSA-2023:5532


Note You need to log in before you can comment on or make changes to this bug.