Bug 2105422 (CVE-2022-32212) - CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
Summary: CVE-2022-32212 nodejs: DNS rebinding in --inspect via invalid IP addresses
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2022-32212
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2108518 2108519 2108520 2108056 2108057 2108058 2108059 2108060 2108521 2108522 2108523 2108524 2108525 2108526 2109533 2109576 2109577 2109578 2121021
Blocks: 2105423
TreeView+ depends on / blocked
 
Reported: 2022-07-08 18:41 UTC by Sage McTaggart
Modified: 2022-11-30 07:28 UTC (History)
9 users (show)

Fixed In Version: nodejs 14.20.0, nodejs 16.20.0, nodejs 18.5.0
Clone Of:
Environment:
Last Closed: 2022-11-30 07:28:22 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:6389 0 None None None 2022-09-08 07:42:35 UTC
Red Hat Product Errata RHSA-2022:6448 0 None None None 2022-09-13 09:44:11 UTC
Red Hat Product Errata RHSA-2022:6449 0 None None None 2022-09-13 09:44:46 UTC
Red Hat Product Errata RHSA-2022:6595 0 None None None 2022-09-20 12:24:24 UTC
Red Hat Product Errata RHSA-2022:6985 0 None None None 2022-10-18 08:17:51 UTC

Description Sage McTaggart 2022-07-08 18:41:48 UTC 
CVE-2022-32212

The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.

More details will be available at CVE-2022-32212 after publication.

Thank you to Axel Chong for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.

https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/
Comment 3 TEJ RATHI 2022-07-19 08:20:28 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108518]
Affects: fedora-all [bug 2108521]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108522]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108519]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108523]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108524]


Created nodejs:16-epel/nodejs tracking bugs for this issue:

Affects: epel-all [bug 2108520]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108525]


Created nodejs:18/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 2108526]
Comment 4 Zuzana Svetlikova 2022-07-20 10:33:07 UTC 
Respective commits:

v14: https://github.com/nodejs/node/commit/48c5aa5cab
v16: https://github.com/nodejs/node/commit/754c9bfde0
v18: https://github.com/nodejs/node/commit/e4af5eba95
Comment 5 errata-xmlrpc 2022-09-08 07:42:33 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7

Via RHSA-2022:6389 https://access.redhat.com/errata/RHSA-2022:6389
Comment 6 errata-xmlrpc 2022-09-13 09:44:07 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6448 https://access.redhat.com/errata/RHSA-2022:6448
Comment 7 errata-xmlrpc 2022-09-13 09:44:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:6449 https://access.redhat.com/errata/RHSA-2022:6449
Comment 8 errata-xmlrpc 2022-09-20 12:24:21 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:6595 https://access.redhat.com/errata/RHSA-2022:6595
Comment 10 errata-xmlrpc 2022-10-18 08:17:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:6985 https://access.redhat.com/errata/RHSA-2022:6985
Comment 13 Product Security DevOps Team 2022-11-30 07:28:19 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32212
Note You need to log in before you can comment on or make changes to this bug.