Bug 1117625 - (CVE-2018-12120) VUL-1: CVE-2018-12120: nodejs4,nodejs6: Debugger port 5858 listens on any interface by default
(CVE-2018-12120)
VUL-1: CVE-2018-12120: nodejs4,nodejs6: Debugger port 5858 listens on any int...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Minor
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/219829/
CVSSv3:SUSE:CVE-2018-12120:9.8:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-11-28 10:21 UTC by Marcus Meissner
Modified: 2019-07-17 06:39 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2018-11-28 10:21:51 UTC
CVE-2018-12120

https://nodejs.org/en/blog/vulnerability/november-2018-security-releases/

port 5858 listens on any interface by default (CVE-2018-12120)

Categorization: Unprotected Primary Channel (CWE-419)

All versions of Node.js 6 are vulnerable and the severity is HIGH. When the debugger is enabled with node --debug or node debug, it listens to port 5858 on all interfaces by default. This may allow remote computers to attach to the debug port and evaluate arbitrary JavaScript. The default interface is now localhost. It has always been possible to start the debugger on a specific interface, such as node --debug=localhost. The debugger was removed in Node.js 8 and replaced with the inspector, so no versions from 8 and later are vulnerable.

Reported and fixed by Ben Noordhuis.

Impact:

    All versions of Node.js 6 (LTS "Boron") are vulnerable
    All versions of Node.js 8 (LTS "Carbon") are NOT vulnerable
    All versions of Node.js 10 (LTS "Dubnium") are NOT vulnerable
    All versions of Node.js 11 (Current) are NOT vulnerable
Comment 1 Adam Majer 2018-11-28 10:41:06 UTC
Removing nodejs8 from title as not affected.
Comment 2 Swamp Workflow Management 2019-01-10 14:50:17 UTC
This is an autogenerated message for OBS integration:
This bug (1117625) was mentioned in
https://build.opensuse.org/request/show/664387 Factory / nodejs6
Comment 4 Adam Majer 2019-01-10 15:40:11 UTC
Fixes submitted to all affected codestreams. Re-assigning back to security team.
Comment 5 Swamp Workflow Management 2019-01-18 14:13:55 UTC
SUSE-SU-2019:0117-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630
CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs4-4.9.1-15.17.1
SUSE Enterprise Storage 4 (src):    nodejs4-4.9.1-15.17.1
Comment 6 Swamp Workflow Management 2019-01-25 20:13:15 UTC
openSUSE-SU-2019:0088-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630
CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407
Sources used:
openSUSE Leap 42.3 (src):    nodejs4-4.9.1-20.1
Comment 7 Swamp Workflow Management 2019-02-14 17:19:42 UTC
SUSE-SU-2019:0395-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630
CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407
Sources used:
SUSE OpenStack Cloud Crowbar 8 (src):    nodejs6-6.16.0-11.21.1
SUSE OpenStack Cloud 7 (src):    nodejs6-6.16.0-11.21.1
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs6-6.16.0-11.21.1
SUSE Enterprise Storage 4 (src):    nodejs6-6.16.0-11.21.1
Comment 8 Swamp Workflow Management 2019-02-22 14:11:15 UTC
openSUSE-SU-2019:0234-1: An update that fixes 7 vulnerabilities is now available.

Category: security (important)
Bug References: 1113534,1113652,1117625,1117626,1117627,1117629,1117630
CVE References: CVE-2018-0734,CVE-2018-12116,CVE-2018-12120,CVE-2018-12121,CVE-2018-12122,CVE-2018-12123,CVE-2018-5407
Sources used:
openSUSE Leap 42.3 (src):    nodejs6-6.16.0-18.1
Comment 9 Marcus Meissner 2019-07-17 06:39:27 UTC
released