6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
AI Score
Confidence
Low
0.946 High
EPSS
Percentile
99.3%
Updates are now available for all active Node.js release lines. These include the fix for the vulnerability identified in the initial announcement.
In addition the updates for 8.X and 9.X include a fix for a low severity buffer vulnerability as describe below.
We recommend that all users upgrade as soon as possible.
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.
The original HTTP module was not affected.
The vulnerability in the HTTP2 module (which only existing in the 8.X and 9.X lines) was fixed through nodejs/node@f3686f2. HTTP2 was previously exploitable through the submission of malicious data by an attacker.
The vulnerability in the TLS module was fixed by incorporating OpenSSL-1.0.2n into Node.js. We are not currently aware of any exploits but it was previously at a severe security risk of accepting unauthenticated data. See this advisory from OpenSSL for more details on the fixes in OpenSSL-1.0.2n secadv-20171207.txt.
The HTTPS module was not affected.
This vulnerability has been assigned CVE-2017-15896.
We would like to thank Matt Caswell (OpenSSL) and David Benjamin (Google) for reporting this.
Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, ‘Buffer.alloc(0x100, “This is not correctly encoded”, “hex”);’ The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.
Versions 4.X and 6.X were not vulnerable.
The severity of this information disclosure vulnerability was low (due to the combination of coding errors that need to have been made in order to make it exploitable) and it has been assigned CVE-2017-15897.
Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity as described in secadv-20171207.txt.
Original post is included below
The Node.js project will be releasing new versions of 4.x, 6.x, 8.x and 9.x as soon as possible after the OpenSSL release, on or soon after December 8th UTC, to incorporate a security fix.
All versions of 4.x, 6.x, 8.x and 9.x are vulnerable to an issue to be fixed in the forthcoming OpenSSL-1.0.2n released on Dec 7, see <https://mta.openssl.org/pipermail/openssl-announce/2017-December/000108.html> for more details. The severity of this vulnerability of Node.js is HIGH (due to the way Node.js uses the OpenSSL APIs) and users of the affected versions should plan to upgrade when a fix is made available.
Releases will be available as soon as possible after the OpenSSL release, along with disclosure of the details for the vulnerability in order to allow for complete impact assessment by users.
6.4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
9.1 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
6.8 Medium
AI Score
Confidence
Low
0.946 High
EPSS
Percentile
99.3%