OpenSSL Recent Security Patches

2023-10-2600:00:00

OpenJS Foundation

nodejs.org

openssl

security advisories

node.js

windows

low vulnerability

moderate vulnerability

cve-2023-4807

cve-2023-5363

7.8 High

CVSS3

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

7 High

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

45.4%

JSON

Summary

For the vulnerabilities disclosed in the OpenSSL Security Advisories of:

OpenSSL 3.0.11 - Tuesday 19th September 2023
OpenSSL 3.0.12 - Tuesday 24th October 2023

Node.js (Windows) is affected by one vulnerability rated as LOW. Therefore, these patches will be released in regular Node.js releases.

Analysis

Our assessment of the following security advisories:

is:

POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low

Node.js is affected by this vulnerability. The CVE-2023-4807 affects Windows users, and the vulnerability is rated as LOW by the OpenSSL Security Team.

Incorrect cipher key & IV length processing (CVE-2023-5363) - Moderate

Node.js doesn’t make use or export EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() functions. Node.js is not affected.

Users who call the affected OpenSSL functions through other means, such as through native addons, can dynamically link against a patched version of OpenSSL until new releases of Node.js are available.