Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Plan to port the fixes to the openssl versions (CVE-2024-6119) in use for nodejs. #192

Open
qinpeilin opened this issue Sep 19, 2024 · 6 comments
Open

Plan to port the fixes to the openssl versions (CVE-2024-6119) in use for nodejs. #192

qinpeilin opened this issue Sep 19, 2024 · 6 comments

Comments

@qinpeilin
Copy link

Hello,

In recent BDBA scan, there is one CVE:

https://nvd.nist.gov/vuln/detail/CVE-2024-6119

detected in node.js.
Issue summary: Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address resulting in abnormal termination of the application process.

Impact summary: Abnormal termination of an application can a cause a denial of service.

Applications performing certificate name checks (e.g., TLS clients checking server certificates) may attempt to read an invalid memory address when comparing the expected name with an otherName subject alternative name of an X.509 certificate. This may result in an exception that terminates the application program.

Note that basic certificate chain validation (signatures, dates, ...) is not affected, the denial of service can occur only when the application also specifies an expected DNS name, Email address or IP address.

TLS servers rarely solicit client certificates, and even when they do, they generally don't perform a name check against a reference identifier (expected identity), but rather extract the presented identity after checking the certificate chain. So TLS servers are generally not affected and the severity of the issue is Moderate.

In the latest version of nodejs of 22.9.0, the fixed is still not included, Here we would like to know if there are plans to port this fixes to the openssl versions in use for nodejs. thanks a lot.

Best regards,
Peilin
@qinpeilin
Copy link
Author

qinpeilin commented Sep 19, 2024
edited
Loading

our environment it is based on domain service and DNS is the same for all components, and for the component which use nodejs, it is server not client application.

Solution - Fix available
Fixed in openssl version:

3.0.15 by this commit,
3.1.7 by this commit,
3.2.3 by this commit,
3.3.2 by this commit.

@RafaelGSS
Copy link
Member

Node.js uses a fork of OpenSSL https://github.com/quictls/openssl for its usage on QUIC protocol. This library hasn't officially released a 3.0.15 version yet.

@RafaelGSS
Copy link
Member

nodejs/node#55184

Will be fixed in the next Node.js release.

@kcak11
Copy link

kcak11 commented Oct 17, 2024

With the recent release of Node 23.0.0, is this vulnerability fixed?

@RafaelGSS
Copy link
Member

Yes, OpenSSL has been updated in both v22.10.0 and v23.0.0 lines.

@kcak11
Copy link

kcak11 commented Oct 17, 2024

Yes, OpenSSL has been updated in both v22.10.0 and v23.0.0 lines.

Thanks for confirming

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@kcak11 @RafaelGSS @qinpeilin