Jump to content
The ibi Community has moved to a new platform: Please Sign In and choose Forgot Password to continue

Anyone else dealing with a new vulnerability popping up in your scans relating to node.js? /CVE-2021-21315

Toby Mills
Go to solution Solved by Patrick Huebgen,

Recommended Posts

After upgrading from 8207->9.1, my VMs are getting flagged with this finding:


NodeJS System Information Library Command Injection (CVE-2021-21315)

I'm having a hard time locating what this is trying to tell me as far as the WebFOCUS installs go.

What I've found so far is in Appendix D: of the WFRS admin manual.

We (WebFOCUS) reference node_js in the edaserve.cfg. if it's available, we'd use that to help out with in document analytics. My installs include a nose_js value which is the VM name and a port number of 8126. (5 higher than the HTTP listener port default of 8121).

It's totally possible the virus scanning guys think this is a webFOCUS thing but it's really a windows thing.

EDAPRINT.LOG shows me:

11/28/2022 14:15:06.283 E nodejs startup failed (nodejs package likely not installed or not on PATH)

So from a WFRS perspective, it can't find it.

Opened a case but I feel like this may not be a WF thing.

Here's what the response part of the finding says - I'd love to see the request side of this:

"Plugin Output: Nessus was able to exploit a command injection vulnerability bysending a specially crafted payload to the remote systemand confirmed an exposure on the following port: 47001Nessus received the following response from the remote system: ${jndi:ldap://log4shell-generic-NEpunx5BV7eGMZp5tYgj${lower:ten}.w.nessus.org/nessus}"

Using some DOS commands, I can find that port 47001 is in use by PID 4 which, when I look to see what program has PID 4, it's Windows Services. So how is this a WF thing?

I'll post when I've learned more.

Link to comment
Share on other sites

  • 3 weeks later...

Thanks Patrick -reminds me I should come back to update this.

I opened a case with the EDA guys and after conferring with the product folks, we can make use of node.js if it's installed, but on our own, we don't install node.js (or node.exe).

Confirmed by Jared in support and the product division.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...