Security Bulletin
Summary
Security Vulnerabilities in Node.js affects IBM Voice Gateway. The vulnerability has been addressed.
Vulnerability Details
CVEID: CVE-2023-30581
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the use of proto in process.mainModule.proto.require(). By sending a specially crafted request, an attacker could exploit this vulnerability to bypass experimental policy mechanism.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258615 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-30586
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by an error in the crypto.setEngine() API when called with a compatible OpenSSL engine. By manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory, an attacker could exploit this vulnerability to bypass the permission model.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258622 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2023-34462
DESCRIPTION: Netty is vulnerable to a denial of service, caused by a flaw with allocating up to 16MB of heap for each channel during the TLS handshake the SniHandler class. By sending a specially crafted client hello packet, a remote authenticated attacker could exploit this vulnerability to cause a OutOfMemoryError and so result in a denial of service condition.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258713 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H)
CVEID: CVE-2023-30585
DESCRIPTION: Node.js could allow a remote attacker to gain elevated privileges on the system, caused by an error in the installation process during the repair operation, where the "msiexec.exe" process attempts to read the %USERPROFILE% environment variable from the current user's registry. An attacker could exploit this vulnerability to create folders in unintended and potentially malicious locations.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258621 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-30584
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by a path traversal bypass when verifying file permissions. By sending a specially crafted request, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258617 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-30587
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions. By exploiting the Worker class's ability to create an "internal worker" with the kIsInternal Symbol, an attacker could exploit this vulnerability to modify the isInternal value when an inspector is attached within the Worker constructor before initializing a new WorkerImpl.
CVSS Base score: 7.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258618 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-30583
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by a missing check in the fs.openAsBlob() API. By using the file system read restriction with the --allow-fs-read flag, an attacker could exploit this vulnerability to bypass the experimental permission model.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258620 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2023-30588
DESCRIPTION: Node.js is vulnerable to a denial of service, caused by invalid public key information in x509 certificates. By accessing public key info of provided certificates from user code, an attacker could exploit this vulnerability to force interruptions of application processing and cause a denial of service.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258623 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
CVEID: CVE-2023-30589
DESCRIPTION: Node.js is vulnerable to HTTP request smuggling, caused by the failure to strictly use the CRLF sequence to delimit HTTP requests by the llhttp parser in the http module. By sending specially crafted HTTP request headers, an attacker could exploit this vulnerability to poison the web cache, bypass web application firewall protection, and conduct XSS attacks.
CVSS Base score: 5.9
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258624 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N)
CVEID: CVE-2023-30590
DESCRIPTION: Node.js could provide weaker than expected security, caused by the failure to generate keys after setting a private key by the generateKeys() API function. By sending a specially crafted request, an attacker could exploit this vulnerability to launch further attacks on the system.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258625 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
CVEID: CVE-2023-30582
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the failure to restrict file watching through the fs.watchFile API. By sending a specially crafted request, an attacker could exploit this vulnerability to monitor restricted files.
CVSS Base score: 5.3
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/258619 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N)
IBM X-Force ID: 259772
DESCRIPTION: Node.js could allow a remote attacker to bypass security restrictions, caused by the failure to respect whether the relevant directories use case-insensitive path processing by process.permission.deny(). By using case-insensitive paths and changing capitalization, an attacker could exploit this vulnerability to bypass permission model restrictions.
CVSS Base score: 6.5
CVSS Temporal Score: See: https://exchange.xforce.ibmcloud.com/vulnerabilities/259772 for the current score.
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Affected Products and Versions
Affected Product(s) | Version(s) |
Voice Gateway | 1.0.7 |
Voice Gateway | 1.0.6 |
Voice Gateway | 1.0.2.4 |
Voice Gateway | 1.0.4 |
Voice Gateway | 1.0.7.1 |
Voice Gateway | 1.0.2 |
Voice Gateway | 1.0.8 |
Voice Gateway | 1.0.5 |
Voice Gateway | 1.0.3 |
Remediation/Fixes
IBM strongly suggests upgrading to the following IBM Voice Gateway 1.0.8.x images:
ibmcom/voice-gateway-mr:1.0.8.10
ibmcom/voice-gateway-tts-adapter:1.0.8.6
ibmcom/voice-gateway-stt-adapter:1.0.8.6
The above images can be found at the below links:
https://hub.docker.com/r/ibmcom/voice-gateway-mr/tags
https://hub.docker.com/r/ibmcom/voice-gateway-tts-adapter/tags
https://hub.docker.com/r/ibmcom/voice-gateway-stt-adapter/tags
Workarounds and Mitigations
None
Get Notified about Future Security Bulletins
References
Acknowledgement
Change History
21 Jul 2023: Initial Publication
*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Security Bulletin.
Disclaimer
According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES ""AS IS"" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY. In addition to other efforts to address potential vulnerabilities, IBM periodically updates the record of components contained in our product offerings. As part of that effort, if IBM identifies previously unidentified packages in a product/service inventory, we address relevant vulnerabilities regardless of CVE date. Inclusion of an older CVEID does not demonstrate that the referenced product has been used by IBM since that date, nor that IBM was aware of a vulnerability as of that date. We are making clients aware of relevant vulnerabilities as we become aware of them. "Affected Products and Versions" referenced in IBM Security Bulletins are intended to be only products and versions that are supported by IBM and have not passed their end-of-support or warranty date. Thus, failure to reference unsupported or extended-support products and versions in this Security Bulletin does not constitute a determination by IBM that they are unaffected by the vulnerability. Reference to one or more unsupported versions in this Security Bulletin shall not create an obligation for IBM to provide fixes for any unsupported or extended-support products or versions.
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
31 January 2024
UID
ibm17013909