Hello,
I am using version 6.3 on a RHEL8. It seems that in this version node.js is used in a version with security vulnerabilities.
How do I find out which versions of node.js are installed? (I used the package installation.) How do I update the version without getting problems with my zammad installation?
regards
Roberto
/opt/zammad/bin/node -v
v20.9.0
This version has the following security findings:
CVE-2024-21892 - Code injection and privilege escalation through Linux capabilities- (High)
CVE-2024-22019 - http: Reading unprocessed HTTP request with unbounded chunk extension allows DoS attacks- (High)
CVE-2024-21896 - Path traversal by monkey-patching Buffer internals- (High)
CVE-2024-22017 - setuid() does not drop all privileges due to io_uring - (High)
CVE-2023-46809 - Node.js is vulnerable to the Marvin Attack (timing variant of the Bleichenbacher attack against PKCS#1 v1.5 padding) - (Medium
CVE-2024-21891 - Multiple permission model bypasses due to improper path traversal sequence sanitization - (Medium)
CVE-2024-21890 - Improper handling of wildcards in --allow-fs-read and --allow-fs-write (Medium)
CVE-2024-22025 - Denial of Service by resource exhaustion in fetch() brotli decoding - (Medium)
I should upgrade to version 20.11.1
How can I do this without breaking the system?
The following is technically possible but not update safe nor recommended. Any issue occurring to this action is solely your issue.
The bundled node binary is only required in case you have to run a rake asset:precompile. This usually only applies to those that change Zammads CSS for example.
So technically you can remove it. In my test installing a nodejs package from repository would still make the precompile work (without it won’t).
As mentioned above, proceed with care.
Our packager currently is not planning to adjust the version, so.
Thank you for your answer.
I will first change the permissions so that node is no longer executable. Let’s see if that’s enough for the auditor.