Researchers disclosed three vulnerabilities in multiple versions of Node.js. Two of the vulnerabilities are high in severity and one is low among the three. The first and the prominent High severity vulnerability is being tracked as CVE-2021-22931 is due to Improper handling of untypical characters in domain names. Let’s see how to fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939.
Summary of CVE-2021-22931:
| Description | Node.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library. |
| CVSS v3 Base Score | 9.8 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | High |
Summary of CVE-2021-22940:
| Description | Node.js was vulnerable to use after the free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix. |
| CVSS v3 Base Score | 7.5 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality | None |
| Integrity Impact | High |
| Availability Impact | None |
Summary of CVE-2021-22939:
| Description | If the Node.js HTTPS API was used incorrectly and “undefined” was passed for the “rejectUnauthorized” parameter, no error was returned and connections to servers with an expired certificate would have been accepted. |
| CVSS v3 Base Score | 5.3 |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Confidentiality | None |
| Integrity Impact | Low |
| Availability Impact | None |
Node.js Versions Vulnerable To CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities:
Node.js versions before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to all three vulnerabilities.
- 16.6.0
- 14.17.4
- 12.22.4
Impact Of The CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities:
Attackers can leverage these vulnerabilities to carry out Remote Code Execution, XSS, Applications crashes, and even more attacks on the target. Adversaries can abuse these vulnerabilities to carry out DNS-cache injection attacks in case an application implements a cache based on the library. And, these vulnerabilities can be used to tunnel all kinds of injection payloads.
Advisories To Fix CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 From Popular Linux Distributions:
All the major Linux distributions were released patches to fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939 vulnerabilities. We have provided the links to the advisories from the top Linux distributions here below. Visit the page of your Linux distributions to patch all three vulnerabilities in Node.js.
How To Fix CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities In Node.js?
These vulnerabilities are fixed on these Node.js versions. It is recommended to install or upgrade your Node.js to the versions equal or above these versions.
Download other Latest versions of Node.js from here.
How to Install or Upgrade Node.js on Ubuntu?
There are multiple ways to install or upgrade Node.js on Linux. The two most popular ways are installing Node.js compelled packages directly from the official repositories and installing nvm (Node.js Version Manager) then pulling the different versions of Node.js through nvm. We will show you both ways to install or upgrade. We are using Ubuntu in this demonstration. If you need installation on other distributions, you can ask in the comments. Or, visit this git page.
Let’s begin installing Node.js from the official repositories.
How to Install or Upgrade Node.js on Ubuntu?
- Default Node.js version on Ubuntu repositories
If you install Node.js from the official repositories, you will install v10.19.0.
Run this command to check the Node.js version get installed from the Ubuntu repository.
$ sudo apt-cache show nodejs
- Install Node.js from official Ubuntu repositories
Run this command to install Node.js from the official Ubuntu repository.
$ sudo apt install nodejs - Check the Node.js version in Linux
$ nodejs -v
- Install latest version of Node.js from downloading the package
The first thing you should need to do is to download the new Node.js package. Use curl or wget utilities on the terminal to download then install the downloaded package using apt-get package manager.
Node.js v17.x:
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash –
$ sudo apt-get install -y nodejs
# Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_17.x | bash –
$ apt-get install -y nodejs
Node.js v16.x:
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash –
$ sudo apt-get install -y nodejs
# Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_16.x | bash –
$ apt-get install -y nodejs
Node.js v14.x:
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_14.x | sudo -E bash –
$ sudo apt-get install -y nodejs
#Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_14.x | bash –
$ apt-get install -y nodejs
Node.js v12.x:
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_12.x | sudo -E bash –
$ sudo apt-get install -y nodejs
# Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_12.x | bash –
$ apt-get install -y nodejs
Node.js LTS (v16.x):
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash –
# sudo apt-get install -y nodejs
# Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_lts.x | bash –
$ apt-get install -y nodejs
Node.js Current (v17.x):
# Using Ubuntu
$ curl -fsSL https://deb.nodesource.com/setup_current.x | sudo -E bash –
$ sudo apt-get install -y nodejs
# Using Debian, as root
$ curl -fsSL https://deb.nodesource.com/setup_current.x | bash –
$ apt-get install -y nodejs - Install Node.js from the downloaded package
Issue this command to install the downloaded Node.js package. Check the Node.js version after installation.
$ sudo apt-get install -y nodejs
$ node -v
Note: Since npm is included in this package. npm will also get installed along with the Node.js. Use this command to check the npm version.
$ npm -v
This is how you can install the latest version of Node.js on your Ubuntu.
Check this link for manual installation. - Install nvm (Node Version Manager)
nvm is a version manager for node.js, If you are a heavy user of Node.js and your work needs multiple versions of Node.js, then you should consider this method of installation, which will allow you to use multiple versions of Node.js simultaneously.
nvm works on any POSIX-compliant shell (sh, dash, ksh, zsh, bash), in particular on these platforms: Unix, macOS, and windows WSL.
You should run the install script to install or update nvm from the terminal. To do that, you may either download and run the script manually or use the following cURL or Wget command:
$ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
Or
$ wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
Following this run these commands for the different shells on the command line:
bash: $source ~/.bashrc
zsh: $source ~/.zshrc
ksh: $. ~/.profile - Install Node.js using nvm
Run this command to list all the available versions of Node.js in nvm. You will see a long list of Node.js versions available from the beginning to the latest. We recommend installing the latest LTS (Long Term Support) version or the latest version.
$ nvm list-remote
Once after you have chosen to install the desired version, run this command to install the Node.js version.
$ nvm install <version>
Ex:
1. $ nvm install v16.13.0
2. $ nvm install v17.0.1
You can install multiple versions of Node.js. The version you install will become the default version of Node.js. - Switch the Node.js version installed using nvm
Before switching to the Node.js version, it is good to know the versions installed on the server. Use this command to list the Node.js versions.
$ nvm list
Run this command to switch the Node.js versions on the server.
$ nvm use <version>
Ex:
1. $ nvm use v16.13.0
2. $ nvm use system - Uninstall Node.js on Ubuntu
We recommend uninstalling or removing the vulnerable versions of Node.js from the system. You can remove or purge the packages using apt package manager like other packages.
$sudo apt-get remove nodejs npm node
$sudo apt-get purge nodejs
After this, remove.nodeand.npmfolders from your system.
$ sudo rm -rf /usr/local/bin/npm
$ sudo rm -rf /usr/local/share/man/man1/node*
$ sudo rm -rf /usr/local/lib/dtrace/node.d
$ sudo rm -rf ~/.npm
$ sudo rm -rf ~/.node-gyp
$ sudo rm -rf /opt/local/bin/node
$ sudo rm -rf opt/local/include/node
$ sudo rm -rf /opt/local/lib/node_modules
$ sudo rm -rf /usr/local/lib/node*
$ sudo rm -rf /usr/local/include/node*
$ sudo rm -rf /usr/local/bin/node*
This is how you can fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939 by installing the new Node.js version. We recommend removing the vulnerable versions of Node.js from the system.
We hope this post would help you in knowing How to Fix CVE-2021-22931- Missing Input Validation in Domain Names in Node.js. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on Facebook, LinkedIn, Twitter, Telegram, Tumblr, & Medium and subscribe to receive updates like this.
