First published: 13th July 2022
Last updated: 13th July 2022
A vulnerability has been found in the implementation of Node.js. This affects the following supported DriveLock products (supported by the time this bulletin was created):
The detected vulnerabilities in in Node.js allow execution of arbitrary code by a remote & anonymous attacker, which can be used to manipulate or circumvent security mechanisms.
The vulnerabilities CVE-2022-32212, CVE-2022-32213, CVE-2022-32214, CVE-2022-32215, CVE-2022-32222, CVE-2022-32223 are collected in WID-SEC-2022-0621, the vulnerabilities with classification “High” are written in bold.
CVE-2022-32212: Only vulnerable via the command-line switch
node --inspect, which enables the debugging interface
of node and is not used by the DES server. It's not possible to pass
arbitrary arguments to the node runtime for a remote user, therefore
this vulnerability cannot be exploited.
CVE-2022-32213, CVE-2022-32214, CVE-2022-32215: HTTP Request Smuggling is not possible because the node http api is behind a reverse proxy which does its own header parsing and validation.
CVE-2022-32222: Not applicable because it only affects Linux systems and the attacker would need local access to the DES.
CVE-2022-32223: The attacker needs local access to the DES server and needs write access to the DES service's user profile. Using the DES server alone, there is no way to exploit this remotely.
Drivelock cannot be targeted using these exploits.
Customers do not need to update their environment.
Nevertheless we always recommend to use the latest available version.