mirror of
https://github.com/nodejs/node.git
synced 2024-11-21 10:59:27 +00:00
2022-01-10, Version 14.18.3 'Fermium' (LTS)
This is a security release. Notable changes: Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531) - Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. - Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532) - Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. - Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533) - Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. - Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 Prototype pollution via `console.table` properties (Low)(CVE-2022-21824) - Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype. - Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to. - More details will be available at https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 PR-URL: https://github.com/nodejs-private/node-private/pull/310
This commit is contained in:
parent
92e1abd541
commit
af829837bc
@ -63,7 +63,8 @@ release.
|
||||
<a href="doc/changelogs/CHANGELOG_V16.md#16.0.0">16.0.0</a><br/>
|
||||
</td>
|
||||
<td valign="top">
|
||||
<b><a href="doc/changelogs/CHANGELOG_V14.md#14.18.2">14.18.2</a></b><br/>
|
||||
<b><a href="doc/changelogs/CHANGELOG_V14.md#14.18.3">14.18.3</a></b><br/>
|
||||
<a href="doc/changelogs/CHANGELOG_V14.md#14.18.2">14.18.2</a><br/>
|
||||
<a href="doc/changelogs/CHANGELOG_V14.md#14.18.1">14.18.1</a><br/>
|
||||
<a href="doc/changelogs/CHANGELOG_V14.md#14.18.0">14.18.0</a><br/>
|
||||
<a href="doc/changelogs/CHANGELOG_V14.md#14.17.6">14.17.6</a><br/>
|
||||
|
@ -1461,7 +1461,9 @@ decrease overall server throughput.
|
||||
<!-- YAML
|
||||
added: v0.8.4
|
||||
changes:
|
||||
- version: v12.22.9
|
||||
- version:
|
||||
- v14.18.3
|
||||
- v12.22.9
|
||||
pr-url: https://github.com/nodejs-private/node-private/pull/300
|
||||
description: Support for `uniformResourceIdentifier` subject alternative
|
||||
names has been disabled in response to CVE-2021-44531.
|
||||
|
@ -9,6 +9,7 @@
|
||||
</tr>
|
||||
<tr>
|
||||
<td valign="top">
|
||||
<a href="#14.18.3">14.18.3</a><br/>
|
||||
<a href="#14.18.2">14.18.2</a><br/>
|
||||
<a href="#14.18.1">14.18.1</a><br/>
|
||||
<a href="#14.18.0">14.18.0</a><br/>
|
||||
@ -69,6 +70,57 @@
|
||||
* [io.js](CHANGELOG_IOJS.md)
|
||||
* [Archive](CHANGELOG_ARCHIVE.md)
|
||||
|
||||
<a id="14.18.3"></a>
|
||||
|
||||
## 2022-01-10, Version 14.18.3 'Fermium' (LTS), @richardlau
|
||||
|
||||
This is a security release.
|
||||
|
||||
### Notable changes
|
||||
|
||||
#### Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)
|
||||
|
||||
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.
|
||||
|
||||
Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the `--security-revert` command-line option.
|
||||
|
||||
More details will be available at [CVE-2021-44531](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531) after publication.
|
||||
|
||||
#### Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)
|
||||
|
||||
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.
|
||||
|
||||
Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the `--security-revert` command-line option.
|
||||
|
||||
More details will be available at [CVE-2021-44532](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532) after publication.
|
||||
|
||||
#### Incorrect handling of certificate subject and issuer fields (Medium)(CVE-2021-44533)
|
||||
|
||||
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification.
|
||||
|
||||
Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable.
|
||||
|
||||
More details will be available at [CVE-2021-44533](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533) after publication.
|
||||
|
||||
#### Prototype pollution via `console.table` properties (Low)(CVE-2022-21824)
|
||||
|
||||
Due to the formatting logic of the `console.table()` function it was not safe to allow user controlled input to be passed to the `properties` parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be `__proto__`. The prototype pollution has very limited control, in that it only allows an empty string to be assigned numerical keys of the object prototype.
|
||||
|
||||
Versions of Node.js with the fix for this use a null protoype for the object these properties are being assigned to.
|
||||
|
||||
More details will be available at [CVE-2022-21824](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824) after publication.
|
||||
|
||||
Thanks to Patrik Oldsberg (rugvip) for reporting this vulnerability.
|
||||
|
||||
### Commits
|
||||
|
||||
* \[[`e2a74f3c99`](https://github.com/nodejs/node/commit/e2a74f3c99)] - **console**: fix prototype pollution via console.table (Tobias Nießen) [nodejs-private/node-private#307](https://github.com/nodejs-private/node-private/pull/307)
|
||||
* \[[`df1b2c33f6`](https://github.com/nodejs/node/commit/df1b2c33f6)] - **crypto,tls**: implement safe x509 GeneralName format (Tobias Nießen and Akshay Kumar) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
|
||||
* \[[`9f2c52617f`](https://github.com/nodejs/node/commit/9f2c52617f)] - **src**: add cve reverts and associated tests (Michael Dawson and Akshay Kumar) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
|
||||
* \[[`b14be42518`](https://github.com/nodejs/node/commit/b14be42518)] - **src**: remove unused x509 functions (Tobias Nießen and Akshay Kumar) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
|
||||
* \[[`83d8f880bb`](https://github.com/nodejs/node/commit/83d8f880bb)] - **tls**: fix handling of x509 subject and issuer (Tobias Nießen and Akshay Kumar) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
|
||||
* \[[`461a0c674b`](https://github.com/nodejs/node/commit/461a0c674b)] - **tls**: drop support for URI alternative names (Tobias Nießen and Akshay Kumar) [nodejs-private/node-private#300](https://github.com/nodejs-private/node-private/pull/300)
|
||||
|
||||
<a id="14.18.2"></a>
|
||||
|
||||
## 2021-11-30, Version 14.18.2 'Fermium' (LTS), @richardlau
|
||||
|
Loading…
Reference in New Issue
Block a user