• Home
  • |
  • Blog
  • |
  • How To Fix CVE-2021-22931- Missing Input Validation In Domain Names In Node.js
how to fix CVE-2021-22931, CV E-2021-22940, & CVE-2021-22939

Researchers disclosed three vulnerabilities in multiple versions of Node.js. Two of the vulnerabilities are high in severity and one is low among the three. The first and the prominent High severity vulnerability is being tracked as CVE-2021-22931 is due to Improper handling of untypical characters in domain names. Let’s see how to fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939.

Summary of CVE-2021-22931:

DescriptionNode.js was vulnerable to Remote Code Execution, XSS, application crashes due to missing input validation of hostnames returned by Domain Name Servers in the Node.js DNS library which can lead to the output of wrong hostnames (leading to Domain Hijacking) and injection vulnerabilities in applications using the library.
CVSS v3 Base Score9.8
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ConfidentialityHigh
Integrity ImpactHigh
Availability ImpactHigh

Summary of CVE-2021-22940:

DescriptionNode.js was vulnerable to use after the free attack where an attacker might be able to exploit memory corruption to change process behavior. This release includes a follow-up fix for CVE-2021-22930 as the issue was not completely resolved by the previous fix.
CVSS v3 Base Score7.5
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ConfidentialityNone
Integrity ImpactHigh
Availability ImpactNone

Summary of CVE-2021-22939:

DescriptionIf the Node.js HTTPS API was used incorrectly and “undefined” was passed for the “rejectUnauthorized” parameter, no error was returned and connections to servers with an expired certificate would have been accepted.
CVSS v3 Base Score5.3
Attack VectorNetwork
Attack ComplexityLow
Privileges RequiredNone
User InteractionNone
ConfidentialityNone
Integrity ImpactLow
Availability ImpactNone

Node.js Versions Vulnerable To CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities:

Node.js versions before 16.6.0, 14.17.4, and 12.22.4 is vulnerable to all three vulnerabilities.

  1. 16.6.0
  2. 14.17.4
  3. 12.22.4

Impact Of The CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities:

Attackers can leverage these vulnerabilities to carry out Remote Code Execution, XSS, Applications crashes, and even more attacks on the target. Adversaries can abuse these vulnerabilities to carry out DNS-cache injection attacks in case an application implements a cache based on the library. And, these vulnerabilities can be used to tunnel all kinds of injection payloads.

All the major Linux distributions were released patches to fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939 vulnerabilities. We have provided the links to the advisories from the top Linux distributions here below. Visit the page of your Linux distributions to patch all three vulnerabilities in Node.js.

  1. RedHat
  2. Ubuntu
  3. SUSE
  4. ArchLinux
  5. debian
  6. Oracle Linux

How To Fix CVE-2021-22931, CV E-2021-22940, And CVE-2021-22939 Vulnerabilities In Node.js?

These vulnerabilities are fixed on these Node.js versions. It is recommended to install or upgrade your Node.js to the versions equal or above these versions.

  1. Node.js v12.22.5 (LTS)
  2. Node.js v14.17.5 (LTS)
  3. Node.js v16.6.2 (Current)

Download other Latest versions of Node.js from here.

A video tutorial from ProgrammingKnowledge

How to Install or Upgrade Node.js on Ubuntu?

There are multiple ways to install or upgrade Node.js on Linux. The two most popular ways are installing Node.js compelled packages directly from the official repositories and installing nvm (Node.js Version Manager) then pulling the different versions of Node.js through nvm. We will show you both ways to install or upgrade. We are using Ubuntu in this demonstration. If you need installation on other distributions, you can ask in the comments. Or, visit this git page.

Let’s begin installing Node.js from the official repositories.

How to Install or Upgrade Node.js on Ubuntu?

  1. Default Node.js version on Ubuntu repositories

    If you install Node.js from the official repositories, you will install v10.19.0.

    Run this command to check the Node.js version get installed from the Ubuntu repository.

    $ sudo apt-cache show nodejs

    Default Node.js version on Ubuntu repositories

  2. Install Node.js from official Ubuntu repositories

    Run this command to install Node.js from the official Ubuntu repository.

    $ sudo apt install nodejs

    Install Node.js from official Ubuntu repositories

  3. Check the Node.js version in Linux

    $ nodejs -v

    Check the Node.js version in Linux

  4. Install latest version of Node.js from downloading the package

    The first thing you should need to do is to download the new Node.js package. Use curl or wget utilities on the terminal to download then install the downloaded package using apt-get package manager.

    Node.js v17.x:
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_17.x | sudo -E bash –
    $ sudo apt-get install -y nodejs


    # Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_17.x | bash –
    $ apt-get install -y nodejs


    Node.js v16.x:
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_16.x | sudo -E bash –
    $ sudo apt-get install -y nodejs


    # Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_16.x | bash –
    $ apt-get install -y nodejs


    Node.js v14.x:
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_14.x | sudo -E bash –
    $ sudo apt-get install -y nodejs

    #Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_14.x | bash –
    $ apt-get install -y nodejs


    Node.js v12.x:
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_12.x | sudo -E bash –
    $ sudo apt-get install -y nodejs


    # Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_12.x | bash –
    $ apt-get install -y nodejs


    Node.js LTS (v16.x):
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_lts.x | sudo -E bash –
    # sudo apt-get install -y nodejs


    # Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_lts.x | bash –
    $ apt-get install -y nodejs


    Node.js Current (v17.x):
    # Using Ubuntu
    $ curl -fsSL https://deb.nodesource.com/setup_current.x | sudo -E bash –
    $ sudo apt-get install -y nodejs


    # Using Debian, as root
    $ curl -fsSL https://deb.nodesource.com/setup_current.x | bash –
    $ apt-get install -y nodejs



    Download the Node.js package and add the signing key

  5. Install Node.js from the downloaded package

    Issue this command to install the downloaded Node.js package. Check the Node.js version after installation.

    $ sudo apt-get install -y nodejs
    $ node -v


    Note: Since npm is included in this package. npm will also get installed along with the Node.js. Use this command to check the npm version.

    $ npm -v

    This is how you can install the latest version of Node.js on your Ubuntu.

    Check this link for manual installation.


    Install Node.js from the downloaded package

  6. Install nvm (Node Version Manager)

    nvm is a version manager for node.js, If you are a heavy user of Node.js and your work needs multiple versions of Node.js, then you should consider this method of installation, which will allow you to use multiple versions of Node.js simultaneously.

    nvm works on any POSIX-compliant shell (sh, dash, ksh, zsh, bash), in particular on these platforms: Unix, macOS, and windows WSL.

    You should run the install script to install or update nvm from the terminal. To do that, you may either download and run the script manually or use the following cURL or Wget command:

    $ curl -o- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash
    Or
    $ wget -qO- https://raw.githubusercontent.com/nvm-sh/nvm/v0.39.0/install.sh | bash


    Following this run these commands for the different shells on the command line:

    bash$ source ~/.bashrc
    zsh$ source ~/.zshrc
    ksh$ . ~/.profile


    Install nvm on Ubuntu

  7. Install Node.js using nvm

    Run this command to list all the available versions of Node.js in nvm. You will see a long list of Node.js versions available from the beginning to the latest. We recommend installing the latest LTS (Long Term Support) version or the latest version.

    $ nvm list-remote

    Once after you have chosen to install the desired version, run this command to install the Node.js version.

    $ nvm install <version>

    Ex:
    1. $ nvm install v16.13.0
    2. $ nvm install v17.0.1


    You can install multiple versions of Node.js. The version you install will become the default version of Node.js.


    Install Node.js using nvm on Ubuntu

  8. Switch the Node.js version installed using nvm

    Before switching to the Node.js version, it is good to know the versions installed on the server. Use this command to list the Node.js versions.

    $ nvm list

    Run this command to switch the Node.js versions on the server.

    $ nvm use <version>

    Ex:
    1. $ nvm use v16.13.0
    2. $ nvm use system



    Switch the Node.js version installed using nvm

  9. Uninstall Node.js on Ubuntu

    We recommend uninstalling or removing the vulnerable versions of Node.js from the system. You can remove or purge the packages using apt package manager like other packages.

    $ sudo apt-get remove nodejs npm node
    $ sudo apt-get purge nodejs


    After this, remove .node and .npm folders from your system.

    $ sudo rm -rf /usr/local/bin/npm
    $ sudo rm -rf /usr/local/share/man/man1/node*
    $ sudo rm -rf /usr/local/lib/dtrace/node.d
    $ sudo rm -rf ~/.npm
    $ sudo rm -rf ~/.node-gyp
    $ sudo rm -rf /opt/local/bin/node
    $ sudo rm -rf opt/local/include/node
    $ sudo rm -rf /opt/local/lib/node_modules
    $ sudo rm -rf /usr/local/lib/node*
    $ sudo rm -rf /usr/local/include/node*
    $ sudo rm -rf /usr/local/bin/node*

This is how you can fix CVE-2021-22931, CV E-2021-22940, and CVE-2021-22939 by installing the new Node.js version. We recommend removing the vulnerable versions of Node.js from the system.

We hope this post will help you in knowing How to Fix CVE-2021-22931- Missing Input Validation in Domain Names in Node.js. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page on FacebookLinkedInTwitterTelegramTumblr, & Medium and subscribe to receive updates like this.

About the author

Arun KL

To know more about me. Follow me on LinkedIn Hi All, I am Arun KL, an IT Security Professional. Founder of “thesecmaster.com”. Enthusiast, Security Blogger, Technical Writer, Editor, Author at TheSecMaster. To know more about me. Follow me on LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked

{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Learn Something New with Free Email subscription

Email is also one of the ways to be in touch with us. Our free subscription plan offers you to receive post updates straight to your inbox.