IT39897: SECURITY APAR FOR CVE-2022-21824, CVE-2021-44533, CVE-2021-44531,CVE-2021-44532

APAR status

• Closed as program error.

Error description

• All] Node.js (including core and 3rd party modules) -
  CVE-2022-21824 ,  CVE-2021-44533, CVE-2021-44531,CVE-2021-44532
  

Local fix

Problem summary

• ****************************************************************
  * USERS AFFECTED:                                              *
  * IBM Storage Insights users                                   *
  ****************************************************************
  * PROBLEM DESCRIPTION:                                         *
  * CVEID: CVE-2021-44532                                        *
  * Node.js could allow a remote attacker to bypass              *
  * security restrictions, caused by a string injection          *
  * vulnerability when name constraints were used                *
  * within a certificate chain. An attacker could                *
  * exploit this vulnerability to bypass the name                *
  * constraints.                                                 *
  *                                                              *
  * CVEID: CVE-2021-44531                                        *
  * Node.js could allow a remote attacker to bypass              *
  * security restrictions, caused by the improper                *
  * handling of URI Subject Alternative Name (SAN)               *
  * types. An attacker could exploit this vulnerability          *
  * to bypass name-constrained intermediates.                    *
  *                                                              *
  * CVEID: CVE-2021-44533                                        *
  * Node.js could allow a remote attacker to bypass              *
  * security restrictions, caused by the incorrect               *
  * handling of multi-value Relative Distinguished               *
  * Names. By crafting certificate subjects containing           *
  * a single-value Relative Distinguished Name that              *
  * would be interpreted as a multi-value Relative               *
  * Distinguished Name, an attacker could exploit                *
  * this vulnerability to bypass the certificate subject         *
  * verification.                                                *
  *                                                              *
  * CVEID: CVE-2022-21824                                        *
  * Node.js could provide weaker than expected                   *
  * security, caused by an error related to the                  *
  * formatting logic of the console.table() function.            *
  * An attacker could exploit this vulnerability using           *
  * console.table properties to allow an empty string            *
  * to be assigned to numerical keys of the object               *
  * prototype.                                                   *
  *                                                              *
  ****************************************************************
  * RECOMMENDATION:                                              *
  ****************************************************************
  

Problem conclusion

• The fix for this APAR is contained in the following release:
  
  IBM Storage Insights 1Q22   [ 54X-IBM-SI ]
  ( 1Q 2022 / March )
  

Temporary fix

Comments

APAR Information

• APAR is sysrouted FROM one or more of the following:

• APAR is sysrouted TO one or more of the following:

Fix information

• Fixed component name

  STORAGE INSIGHT

• Fixed component ID

  5608TPCSI

Applicable component levels