vscode-remote-release icon indicating copy to clipboard operation
vscode-remote-release copied to clipboard

Published 20 hours ago verified publisher icon microsoft

node.js bundled with vscode-remote server has multiple security vulnerabilities

Open lupalby opened this issue 1 year ago • 3 comments

  • VSCode Version: 1.86.0
  • Local OS Version: W11 23H2
  • Remote OS Version: Ubuntu 20.04.6
  • Remote Extension/Connection Type: Server or SSH (does not matter)

Steps to Reproduce:

  1. install VSCode server or connect to remote machine using VSCode remote SSH extension
  2. trigger a security scan on the remote machine (Nessus in our case)

The security scan reports that the node.js version that is bundled with the vscode-server (18.17.1) has multiple security vulnerabilities. It is sufficient to update to version 18.18.2 to solve the problem, however it doesn't work if I change the version manually. You will have to update the node.js version bundled with VSCode or with the extension.

Node.js 18.x < 18.18.2 / 20.x < 20.8.1 Multiple Vulnerabilities (Friday October 13 2023 Security Releases).

Description

The version of Node.js installed on the remote host is prior to 18.18.2, 20.8.1. It is, therefore, affected by multiple vulnerabilities as referenced in the Friday October 13 2023 Security Releases advisory. - Undici did not always clear Cookie headers on cross-origin redirects. By design, cookie headers are forbidden request headers, disallowing them to be set in RequestInit.headers in browser environments. Since undici handles headers more liberally than the spec, there was a disconnect from the assumptions the spec made, and undici's implementation of fetch. As such this may lead to accidental leakage of cookie to a 3rd-party site or a malicious attacker who can control the redirection target (ie. an open redirector) to leak the cookie to the 3rd party site. More details area available in GHSA-wqq4-5wpv-mx2g (CVE-2023-45143) - Rapidly creating and cancelling streams (HEADERS frame immediately followed by RST_STREAM) without bound causes denial of service. See https://www.cve.org/CVERecord?id=CVE-2023-44487 for details. Impacts: (CVE-2023-44487) - A previously disclosed vulnerability (CVE-2023-30584) was patched insufficiently. The new path traversal vulnerability arises because the implementation does not protect itself against the application overwriting built-in utility functions with user-defined implementations. Impacts: Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-39331) - Various node:fs functions allow specifying paths as either strings or Uint8Array objects. In Node.js environments, the Buffer class extends the Uint8Array class. Node.js prevents path traversal through strings (see CVE-2023-30584) and Buffer objects (see CVE-2023-32004), but not through non-Buffer Uint8Array objects. This is distinct from CVE-2023-32004 (report 2038134), which only referred to Buffer objects. However, the vulnerability follows the same pattern using Uint8Array instead of Buffer. Impacts: Please note that at the time this CVE is issued, the permission model is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-39332) - When the Node.js policy feature checks the integrity of a resource against a trusted manifest, the application can intercept the operation and return a forged checksum to node's policy implementation, thus effectively disabling the integrity check. Impacts: Please note that at the time this CVE is issued, the policy mechanism is an experimental feature of Node.js. Thanks to Tobias Nieen who reported and created the security patch. (CVE-2023-38552) - Maliciously crafted export names in an imported WebAssembly module can inject JavaScript code. The injected code may be able to access data and functions that the WebAssembly module itself does not have access to, similar to as if the WebAssembly module was a JavaScript module. Impacts: Thanks to dittyroma for reporting the issue and to Tobias Nieen for fixing it. (CVE-2023-39333) Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Upgrade to Node.js version 18.18.2 / 20.8.1 or later.

lupalby avatar Feb 05 '24 11:02 lupalby

I also have the same problem.

jblanusa avatar Feb 05 '24 11:02 jblanusa

I have the same problem. Can this be prioritized?

harshakokel avatar Feb 13 '24 21:02 harshakokel

Updating to 18.18.2 will happen as part of https://github.com/microsoft/vscode/pull/203956

deepak1556 avatar Feb 14 '24 02:02 deepak1556

We do security patch releases only in case we become aware of a vulnerability that affects VS Code. We are tracking all CVEs issued for all of our dependencies, including node.js, v8, chromium, electron, etc, and we have a mechanism to receive VS Code specific security issues.

node.js has as its main use-case hosting servers that are exposed to the internet. VS Code does not use node.js in this way, so almost all CVEs that are reported against node.js are not impacting VS Code.

Finally, we update regularly (monthly) our dependencies, so the next VS Code stable version will contain an updated nodejs.

TL;DR Your security scan is correct, we include a 1 month old version of node.js, but that does not mean your system is in any way vulnerable to those CVEs because we use node.js in a very specific way.

alexdima avatar Feb 19 '24 13:02 alexdima

Insiders is based on 18.18.2 and next stable release 1.88 will contain the version.

deepak1556 avatar Mar 21 '24 12:03 deepak1556