Security update for nodejs18 SUSE Patch security@suse.de SUSE Security Team SUSE-SU-2023:3378-1 Final 1 1 2023-08-22T16:35:28Z current 2023-08-22T16:35:28Z 2023-08-22T16:35:28Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for nodejs18 This update for nodejs18 fixes the following issues: Update to LTS version 18.17.1. - CVE-2023-32002: Fixed permissions policies bypass via Module._load (bsc#1214150). - CVE-2023-32006: Fixed permissions policies impersonation using module.constructor.createRequire() (bsc#1214156). - CVE-2023-32559: Fixed permissions policies bypass via process.binding (bsc#1214154). The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Container bci/node:18-2023-3378,SUSE-2023-3378,SUSE-SLE-Module-Web-Scripting-15-SP4-2023-3378,SUSE-SLE-Module-Web-Scripting-15-SP5-2023-3378,openSUSE-SLE-15.4-2023-3378,openSUSE-SLE-15.5-2023-3378 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/update/announcement/2023/suse-su-20233378-1/ Link for SUSE-SU-2023:3378-1 https://lists.suse.com/pipermail/sle-security-updates/2023-August/015991.html E-Mail link for SUSE-SU-2023:3378-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings https://bugzilla.suse.com/1214150 SUSE Bug 1214150 https://bugzilla.suse.com/1214154 SUSE Bug 1214154 https://bugzilla.suse.com/1214156 SUSE Bug 1214156 https://www.suse.com/security/cve/CVE-2023-32002/ SUSE CVE CVE-2023-32002 page https://www.suse.com/security/cve/CVE-2023-32006/ SUSE CVE CVE-2023-32006 page https://www.suse.com/security/cve/CVE-2023-32559/ SUSE CVE CVE-2023-32559 page Container bci/node:18 SUSE Linux Enterprise Module for Web and Scripting 15 SP4 SUSE Linux Enterprise Module for Web and Scripting 15 SP5 openSUSE Leap 15.4 openSUSE Leap 15.5 nodejs18-18.17.1-150400.9.12.1 npm18-18.17.1-150400.9.12.1 corepack18-18.17.1-150400.9.12.1 nodejs18-devel-18.17.1-150400.9.12.1 nodejs18-docs-18.17.1-150400.9.12.1 nodejs18-18.17.1-150400.9.12.1 as a component of Container bci/node:18 npm18-18.17.1-150400.9.12.1 as a component of Container bci/node:18 nodejs18-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs18-devel-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs18-docs-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 npm18-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP4 nodejs18-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs18-devel-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 nodejs18-docs-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 npm18-18.17.1-150400.9.12.1 as a component of SUSE Linux Enterprise Module for Web and Scripting 15 SP5 corepack18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.4 nodejs18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.4 nodejs18-devel-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.4 nodejs18-docs-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.4 npm18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.4 corepack18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.5 nodejs18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.5 nodejs18-devel-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.5 nodejs18-docs-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.5 npm18-18.17.1-150400.9.12.1 as a component of openSUSE Leap 15.5 The use of `Module._load()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32002 Container bci/node:18:nodejs18-18.17.1-150400.9.12.1 Container bci/node:18:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.4:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.5:npm18-18.17.1-150400.9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233378-1/ https://www.suse.com/security/cve/CVE-2023-32002.html CVE-2023-32002 https://bugzilla.suse.com/1214150 SUSE Bug 1214150 The use of `module.constructor.createRequire()` can bypass the policy mechanism and require modules outside of the policy.json definition for a given module. This vulnerability affects all users using the experimental policy mechanism in all active release lines: 16.x, 18.x, and, 20.x. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32006 Container bci/node:18:nodejs18-18.17.1-150400.9.12.1 Container bci/node:18:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.4:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.5:npm18-18.17.1-150400.9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233378-1/ https://www.suse.com/security/cve/CVE-2023-32006.html CVE-2023-32006 https://bugzilla.suse.com/1214156 SUSE Bug 1214156 A privilege escalation vulnerability exists in the experimental policy mechanism in all active release lines: 16.x, 18.x and, 20.x. The use of the deprecated API `process.binding()` can bypass the policy mechanism by requiring internal modules and eventually take advantage of `process.binding('spawn_sync')` run arbitrary code, outside of the limits defined in a `policy.json` file. Please note that at the time this CVE was issued, the policy is an experimental feature of Node.js. CVE-2023-32559 Container bci/node:18:nodejs18-18.17.1-150400.9.12.1 Container bci/node:18:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP4:npm18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-devel-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:nodejs18-docs-18.17.1-150400.9.12.1 SUSE Linux Enterprise Module for Web and Scripting 15 SP5:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.4:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.4:npm18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:corepack18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-devel-18.17.1-150400.9.12.1 openSUSE Leap 15.5:nodejs18-docs-18.17.1-150400.9.12.1 openSUSE Leap 15.5:npm18-18.17.1-150400.9.12.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/support/update/announcement/2023/suse-su-20233378-1/ https://www.suse.com/security/cve/CVE-2023-32559.html CVE-2023-32559 https://bugzilla.suse.com/1214154 SUSE Bug 1214154