¡¾Â©¶´Í¨¸æ¡¿tar & @npmcli/arborist 9Ô¶à¸öÄþ¾²Â©¶´

Ðû²¼Ê±¼ä 2021-09-10

0x00 ©¶´¸ÅÊö

2021Äê9ÔÂ8ÈÕ£¬GitHubÄþ¾²ÍŶӹûÈ»Åû¶ÁËÔÚnpm CLI ʹÓÃµÄ npm °ütarºÍ@npmcli/arboristÖз¢ÏÖµÄ7¸öÄþ¾²Â©¶´£¬¹¥»÷Õß¿ÉÒÔÀûÓÃÕâЩ©¶´ÁýÕÖÈÎÒâÎļþ¡¢´´½¨ÈÎÒâÎļþ»òÖ´ÐÐÈÎÒâ´úÂë ¡£

 

0x01 ©¶´ÏêÇé

image.png

tarÊÇnpmµÄÒ»¸öºËÐÄÒÀÀµ£¬ÓÃÓÚÌáÈ¡ºÍ°²×°npm°ü ¡£@npmcli/arboristÊÇnpm CLIµÄÒ»¸öºËÐÄÒÀÀµÏÓÃÓÚ¹ÜÀínode_modulesÊ÷ ¡£

µ±tar±»ÓÃÀ´ÌáÈ¡²»ÊÜÐÅÈεÄtarÎļþ»òµ±npm CLIÔÚijЩÎļþϵͳÌõ¼þϱ»ÓÃÀ´°²×°²»ÊÜÐÅÈεÄnpm°üʱ£¬ÕâЩ©¶´¿ÉÄÜ»áÓÉÓÚÎļþÁýÕÖ»ò´´½¨¶øµ¼ÖÂÈÎÒâ´úÂëÖ´ÐÐ ¡£±¾´ÎÅû¶µÄ7¸ö©¶´ÈçÏ£º

l  CVE-2021-32803£ºÓÉÓÚĿ¼»º´æÖж¾£¬¿ÉÒÔͨ¹ý²»³äʵµÄ·ûºÅÁ´½Ó± £»¤À´ÊµÏÖÈÎÒâÎļþ´´½¨/ÁýÕÖ£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ8.1/8.2 ¡£

l  CVE-2021-32804£ºÓÉÓÚ¾ø¶Ô·¾¶ÇåÀí²»×ã¶øµ¼ÖÂÈÎÒâÎļþ´´½¨/ÁýÕÖ£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ8.1/8.2 ¡£

l  CVE-2021-37701£ºÓÉÓÚʹÓ÷ûºÅÁ´½ÓµÄĿ¼»º´æÖж¾£¬µ¼Ö·ûºÅÁ´½Ó± £»¤²»×㣬´Ó¶øµ¼ÖÂÈÎÒâÎļþ´´½¨/ÁýÕÖ£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ8.2 ¡£

l  CVE-2021-37712£ºÓÉÓÚʹÓ÷ûºÅÁ´½ÓµÄĿ¼»º´æÖж¾£¬µ¼Ö·ûºÅÁ´½Ó± £»¤²»×㣬´Ó¶øµ¼ÖÂÈÎÒâÎļþ´´½¨/ÁýÕÖ£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ8.2 ¡£

l  CVE-2021-37713£ºÍ¨¹ý²»³äʵµÄÏà¶Ô·¾¶ÇåÀíÔÚWindowsÉÏ´´½¨/ÁýÕÖÈÎÒâÎļþ£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ8.2 ¡£

l  CVE-2021-39134£º@npmcli/arboristÖеÄUNIX·ûºÅÁ´½Ó£¨Symlink£©£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ7.8/8.2 ¡£

l  CVE-2021-39135£º@npmcli/arboristÖеÄUNIX·ûºÅÁ´½Ó£¨Symlink£©£¬¸Ã©¶´µÄCVSSv3ÆÀ·ÖΪ7.8/8.2 ¡£

 

ÔÚ´¦ÖöñÒâ»ò²»ÊÜÐÅÈεÄnpm°ü°²×°£¬CVE-2021-32804¡¢CVE-2021-37713¡¢CVE-2021-39134ºÍCVE-2021-39135»áÓ°Ïìnpm CLI£¬ÆäÖÐһЩ©¶´¿ÉÄܻᵼÖÂÈÎÒâ´úÂëÖ´ÐÐ ¡£

 

Ó°Ï췶Χ

CVE

Ó°Ïì²úÎï

Ó°Ï췶Χ

ÐÞ¸´°æ±¾

²Î¿¼Á´½Ó

CVE-2021-32803

 

 

 

 

 

 

 

tar(npm)

 

 

<3.2.3

4.x £º<4.4.15

5.x £º<5.0.7

6.x £º<6.1.2

3.2.3

4.4.15

5.0.7

6.1.2

https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw

CVE-2021-32804

<3.2.2

4.x £º<4.4.14

5.x £º<5.0.6

6.x £º<6.1.1

3.2.2

4.4.14

5.0.6

6.1.1

https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9

CVE-2021-37701

<4.4.16

5£º<5.0.8

6£º<6.1.7

4.4.16

5.0.8

6.1.7

https://github.com/npm/node-tar/security/advisories/GHSA-9r2w-394v-53qc

CVE-2021-37712

6£º<=6.1.8

5£º<=5.0.9

<=4.4.17

6.1.9

5.0.10

4.4.18

 

 

https://github.com/npm/node-tar/security/advisories/GHSA-qq89-hq3f-393p

CVE-2021-37713

6£º<=6.1.8

5£º<=5.0.9

<=4.4.17

6.1.9

5.0.10

4.4.18

https://github.com/npm/node-tar/security/advisories/GHSA-5955-9wpr-37jh

CVE-2021-39134

@npmcli/arborist (npm)

<=2.8.1

2.8.2

https://github.com/npm/arborist/security/advisories/GHSA-2h3h-q99f-3fhc

CVE-2021-39135

<=2.8.1

2.8.2

https://github.com/npm/arborist/security/advisories/GHSA-gmw6-94gg-2rc2

 

0x02 ´¦Öý¨Òé

Ä¿Ç°ÕâЩ©¶´ÒѾ­ÐÞ¸´£¬½¨Ò鼰ʱÉý¼¶¸üР¡£

l  Èç¹ûÖ±½Ó°²×°»ò´ò°ünpm CLI£¬Çë¸üÐÂnpm CLI µ½6.14.15¡¢7.21.0 »ò¸ü¸ß°æ±¾ ¡££¨Ö»ÓÐCVE-2021-32804¡¢CVE-2021-37713¡¢CVE-2021-39134 ºÍ CVE-2021-39135Ó°Ïìnpm CLI£© ¡£

l  Èç¹ûÒÀÀµ Node.js ½øÐÐ npm °²×°£¬Çë¸üе½×îа汾µÄ Node.js v12.22.6¡¢v14.17.6 ¡¢v16.8.0 £¨½ØÖÁ2021 Äê 8 Ô 31 ÈÕ£©»ò¸ü¸ß°æ±¾£¬ËüÃÇ°üÂÞCVE-2021-32804¡¢CVE-2021-37713¡¢CVE-2021-39134 ºÍ CVE-2021-39135 µÄ²¹¶¡ ¡£

l  Èç¹ûÏîÄ¿ÒÀÀµÓÚtar£º½«ÒÀÀµÏî¸üе½ 4.4.19¡¢5.0.11¡¢6.1.10 »ò¸ü¸ß°æ±¾ ¡££¨Ïê¼ûCVE-2021-32804¡¢CVE-2021-32803¡¢CVE-2021-37701¡¢CVE-2021-37712ºÍCVE-2021-37713Á´½Ó ¡££©

l  tarµÄv3·ÖÖ§ÒѾ­±»·ÏÆú£¬½¨Òé¸üе½v6 ¡£

 

ÏÂÔØÁ´½Ó£º

https://github.com/npm/cli/

 

0x03 ²Î¿¼Á´½Ó

https://github.blog/2021-09-08-github-security-update-vulnerabilities-tar-npmcli-arborist/

https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw

https://www.bleepingcomputer.com/news/security/github-finds-7-code-execution-vulnerabilities-in-tar-and-npm-cli/

 

0x04 ¸üа汾

°æ±¾

ÈÕÆÚ

ÐÞ¸ÄÄÚÈÝ

V1.0

2021-09-10

Ê×´ÎÐû²¼

 

0x05 Îĵµ¸½Â¼

CNVD£ºwww.cnvd.org.cn

CNNVD£ºwww.cnnvd.org.cn

CVE£ºcve.mitre.org

NVD£ºnvd.nist.gov

CVSS£ºwww.first.org

0x06 ¹ØÓÚ¶«É­Æ½Ì¨

¹Ø×¢ÒÔϹ«Öںţ¬»ñÈ¡¸ü¶à×ÊѶ£º

image.png