diff options
| author | Beth Griggs <bgriggs@redhat.com> | 2022-01-08 01:38:03 +0000 |
|---|---|---|
| committer | Beth Griggs <bgriggs@redhat.com> | 2022-01-10 23:49:27 +0000 |
| commit | c4194c0dce93566fd463ff575726064886c74c1e (patch) | |
| tree | b1e308906b361a41cb2b48724741ca98e3601bc5 /doc/changelogs | |
| parent | f99a2c275d940a9b55aa8a12f56c3be5984b2f64 (diff) | |
| download | node-new-c4194c0dce93566fd463ff575726064886c74c1e.tar.gz | |
2022-01-10, Version 17.3.1 (Current)
This is a security release.
Notable changes:
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
- Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI
is specifically defined to use a particular SAN type, can result in
bypassing name-constrained intermediates. Node.js was accepting URI SAN
types, which PKIs are often not defined to use. Additionally, when a
protocol allows URI SANs, Node.js did not match the URI correctly.
- Versions of Node.js with the fix for this disable the URI SAN type when
checking a certificate against a hostname. This behavior can be
reverted through the `--security-revert` command-line option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
- Node.js converts SANs (Subject Alternative Names) to a string format.
It uses this string to check peer certificates against hostnames when
validating connections. The string format was subject to an injection
vulnerability when name constraints were used within a certificate
chain, allowing the bypass of these name constraints.
- Versions of Node.js with the fix for this escape SANs containing the
problematic characters in order to prevent the injection. This
behavior can be reverted through the `--security-revert` command-line
option.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532
Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
- Node.js did not handle multi-value Relative Distinguished Names
correctly. Attackers could craft certificate subjects containing a
single-value Relative Distinguished Name that would be interpreted as a
multi-value Relative Distinguished Name, for example, in order to inject
a Common Name that would allow bypassing the certificate subject
verification.
- Affected versions of Node.js do not accept multi-value Relative
Distinguished Names and are thus not vulnerable to such attacks
themselves. However, third-party code that uses node's ambiguous
presentation of certificate subjects may be vulnerable.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533
Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
- Due to the formatting logic of the `console.table()` function it was
not safe to allow user controlled input to be passed to the `properties`
parameter while simultaneously passing a plain object with at least one
property as the first parameter, which could be `__proto__`. The
prototype pollution has very limited control, in that it only allows an
empty string to be assigned numerical keys of the object prototype.
- Versions of Node.js with the fix for this use a null protoype for the
object these properties are being assigned to.
- More details will be available at
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824
PR-URL: https://github.com/nodejs-private/node-private/pull/311
Diffstat (limited to 'doc/changelogs')
| -rw-r--r-- | doc/changelogs/CHANGELOG_V17.md | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/doc/changelogs/CHANGELOG_V17.md b/doc/changelogs/CHANGELOG_V17.md index 35a2090e81..664c330a6c 100644 --- a/doc/changelogs/CHANGELOG_V17.md +++ b/doc/changelogs/CHANGELOG_V17.md @@ -8,6 +8,7 @@ </tr> <tr> <td> +<a href="#17.3.1">17.3.1</a><br/> <a href="#17.3.0">17.3.0</a><br/> <a href="#17.2.0">17.2.0</a><br/> <a href="#17.1.0">17.1.0</a><br/> @@ -36,6 +37,57 @@ * [io.js](CHANGELOG_IOJS.md) * [Archive](CHANGELOG_ARCHIVE.md) +<a id="17.3.1"></a> + +## 2022-01-10, Version 17.3.1 (Current), @BethGriggs + +This is a security release. + +### Notable changes + +#### Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) + +Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. + +Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option. + +More details will be available at [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531) after publication. + +#### Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) + +Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. + +Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option. + +More details will be available at [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532) after publication. + +#### Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) + +Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. + +Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. + +More details will be available at [CVE-2021-44533](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533) after publication. + +#### Prototype pollution via `console.table` properties (Low)(CVE-2022-21824) + +Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. + +Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. + +More details will be available at [CVE-2022-21824](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824) after publication. + +Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability. + +### Commits + +* \[[`2a0515f73c`](https://github.com/nodejs/node/commit/2a0515f73c)] - **console**: fix prototype pollution via console.table (Tobias Nießen) [nodejs-private/node-private#307](https://github.com/nodejs-private/node-private/pull/307) +* \[[`2e2c45553d`](https://github.com/nodejs/node/commit/2e2c45553d)] - **crypto,tls**: implement safe x509 GeneralName format (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300) +* \[[`df3141f59b`](https://github.com/nodejs/node/commit/df3141f59b)] - **src**: add cve reverts and associated tests (Michael Dawson) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300) +* \[[`5398548746`](https://github.com/nodejs/node/commit/5398548746)] - **src**: remove unused x509 functions (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300) +* \[[`1f7fdff64a`](https://github.com/nodejs/node/commit/1f7fdff64a)] - **tls**: fix handling of x509 subject and issuer (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300) +* \[[`b11b4cc69d`](https://github.com/nodejs/node/commit/b11b4cc69d)] - **tls**: drop support for URI alternative names (Tobias Nießen) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300) + <a id="17.3.0"></a> ## 2021-12-17, Version 17.3.0 (Current), @danielleadams |