Lucene search

OpenJS FoundationNODEJSBLOG:OPENSSL-AND-ZLIB-VULNERABILITY-ASSESSMENT

HistoryOct 24, 2022 - 12:00 a.m.

OpenSSL and zlib update assessment, and Node.js Assessment workflow

2022-10-2400:00:00

OpenJS Foundation

nodejs.org

openssl

zlib

node.js

vulnerability

security assessment

cve

automated workflow

dependency

security patches

security policy

vulnerability reporting

mailing list

CVSS3

9.8

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

AI Score

8.9

Confidence

High

EPSS

0.003

Percentile

71.6%

JSON

Summary

The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.

Analysis OpenSSL

Our assessment of the security advisory is:

Using a Custom Cipher with `NID_undef` may lead to NULL encryption (CVE-2022-3358)

Node.js doesn’t call EVP_CIPHER_meth_new(NID_undef, ...). Therefore, Node.js is not affected by this vulnerability.

Analysis zlib

Our assessment of the CVE-2022-37434 is:

Buffer overflow in inflate via a large gzip header extra field

Node.js doesn’t call inflateGetHeader. Therefore, Node.js is not affected by this vulnerability.

Further information, see: nodejs-dependency-vuln-assessments#50.

Node.js Vulnerability Assessment workflow

The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.

This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the issues.

Ensure to watch the repository if you are interested in security patches.