Tuesday, March 14, 2023
HomeNodejsNov 3 2022 Safety Releases

Nov 3 2022 Safety Releases


Updates are actually out there for v14,x, v16.x, v18.x and v19.x Node.js
launch strains for the next points.

A buffer overrun may be triggered in X.509 certificates verification,
particularly in identify constraint checking. Notice that this happens
after certificates chain signature verification and requires both a
CA to have signed the malicious certificates or for the appliance to
proceed certificates verification regardless of failure to assemble a path
to a trusted issuer. An attacker can craft a malicious electronic mail handle
to overflow 4 attacker-controlled bytes on the stack. This buffer
overflow might end in a crash (inflicting a denial of service) or
doubtlessly distant code execution.

Impacts:

  • All variations of the v18.x and v19.x releases strains.

A buffer overrun may be triggered in X.509 certificates verification,
particularly in identify constraint checking. Notice that this happens after
certificates chain signature verification and requires both a CA to
have signed a malicious certificates or for an utility to proceed
certificates verification regardless of failure to assemble a path to a trusted
issuer. An attacker can craft a malicious electronic mail handle in a certificates
to overflow an arbitrary variety of bytes containing the . character
(decimal 46) on the stack. This buffer overflow might end in a crash
(inflicting a denial of service).

In a TLS shopper, this may be triggered by connecting to a malicious
server. In a TLS server, this may be triggered if the server requests
shopper authentication and a malicious shopper connects.

OpenSSL variations 3.0.0 to three.0.6 are weak to this difficulty.

Impacts:

  • All variations of the v18.x and v19.x releases strains.

The Node.js rebinding protector for –inspect nonetheless permits invalid IP handle,
particularly, the octal format. An instance of an octal IP handle is 1.09.0.0,
the 09 octet is invalid as a result of 9 will not be a quantity within the base 8 quantity system.
Browsers reminiscent of Firefox (examined on newest model m105) will nonetheless try and
resolve this invalid octal handle by way of DNS. When mixed with an lively
–inspect session, reminiscent of when utilizing VSCode, an attacker can carry out DNS
rebinding and execute arbitrary code

Thanks to @haxatron1 for reporting this vulnerability.

Impacts:

  • All variations of the v14.x, v16.x, v18.x, and v19.x releases strains.

Downloads and launch particulars


It is taking us a bit longer than initially anticipated and the Node.js Safety Releases
will probably be out there on, or shortly after, Friday, November 4th, 2022.

The Node.js mission will launch new variations of the 14.x, 16.x, 18.x, 19.x
releases strains on or shortly after Thursday, November 3, 2022 as a way to handle:

These safety releases are pushed by the OpenSSL safety launch as introduced in OpenSSL November Safety Launch in addition to a further vulnerability that impacts all supported launch strains.

The 19.x launch line of Node.js is weak to 1 medium severity difficulty and two excessive severity points.

The 18.x launch line of Node.js is weak to 1 medium severity difficulty and two excessive severity points.

The 16.x launch line of Node.js is weak to 1 medium severity difficulty.

The 14.x launch line of Node.js is weak to 1 medium severity difficulty.

Releases will probably be out there on, or shortly after, Thursday, November third, 2022.

The present Node.js safety coverage may be discovered at https://nodejs.org/en/safety/. Please comply with the method outlined in https://github.com/nodejs/node/blob/grasp/SECURITY.md in the event you want to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing listing at https://teams.google.com/discussion board/#!discussion board/nodejs-sec to remain updated on safety vulnerabilities and security-related releases of Node.js and the tasks maintained within the nodejs GitHub group.

RELATED ARTICLES

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Most Popular

Recent Comments