Lucene search

K
nodejsblogOpenJS FoundationNODEJSBLOG:OPENSSL-FIXES-IN-REGULAR-RELEASES-MAY2022
HistoryMay 05, 2022 - 12:00 a.m.

OpenSSL update assessment, and Node.js project plans

2022-05-0500:00:00
OpenJS Foundation
nodejs.org
2

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

OpenSSL update assessment, and Node.js project plans

By Rafael Gonzaga, 2022-05-05

Summary

The OpenSSL Security releases of May 3 2022 affects Node.js 17.x and 18.x but highest serverity is “Low”

Analysis

Our assessment of the security advisory is:

The c_rehash script allows command injection (CVE-2022-1292)

Node.js doesn’t use or ship the c_rehash script. Therefore, Node.js is not affected

OCSP_basic_verify may incorrectly verify the response signing certificate (CVE-2022-1343)

Node.js doesn’t call OCSP_basic_verify with the custom flag OCSP_NOCHECKS. Node.js is not affected.

Incorrect MAC key used in the RC4-MD5 ciphersuite (CVE-2022-1434)

Node.js does not compile with --enable-weak-ssl-ciphers, therefore, Node.js is not affected.

Resource leakage when decoding certificates and keys (CVE-2022-1473)

Node.js 17.x and 18.x are affected by this CVE which is rated “Low”.

Given this assessment, the OpenSSL updates for Node.js will be delievered through the regular Node.js release cycle with releases scheduled by the end of May.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at <https://groups.google.com/forum/#!forum/nodejs-sec&gt; to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

9.8 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

10 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

NONE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:N/C:C/I:C/A:C

Related for NODEJSBLOG:OPENSSL-FIXES-IN-REGULAR-RELEASES-MAY2022