CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
91.3%
The OpenSSL Security releases of September 10th, 2019 do not affect Node.js.
Our assessment of the security advisory is:
ECDSA remote timing attack (CVE-2019-1547) Not affected. Node supports only named curves for ECDSA signing.
Fork Protection (CVE-2019-1549) Not affected. Node.js always call exec()
after fork()
so will not duplicate the PRNG state in the forked process.
Padding Oracle in PKCS7_dataDecode
and CMS_decrypt_set1_pkey
(CVE-2019-1563) Not affected. Node does not support PCKS7 and CMS.
Given this assessment, the OpenSSL updates will be treated as non-security patch updates, and will come out in the regularly scheduled updates to supported release lines.
Thanks to Shigeki Ohtsu for his rapid analysis of the OpenSSL security advisory.
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
91.3%