Headline
CVE-2022-32215: July 7th 2022 Security Releases | Node.js
The llhttp parser in the http module in Node v17.6.0 does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues.
The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
More details will be available at CVE-2022-32213 after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
- All versions of the 18.x, 16.x, and 14.x releases lines.
- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
More details will be available at CVE-2022-32214 after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
- All versions of the 18.x, 16.x, and 14.x releases lines.
- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
The llhttp parser in the http module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
More details will be available at CVE-2022-32215 after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
- All versions of the 18.x, 16.x, and 14.x releases lines.
- llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
The IsAllowedHost check can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.
More details will be available at CVE-2022-32212 after publication.
Thank you to Axel Chong for reporting this vulnerability.
Impacts:
- All versions of the 18.x, 16.x, and 14.x releases lines.
This vulnerability can be exploited if the victim has the following dependencies on Windows machine:
- OpenSSL has been installed and “C:\Program Files\Common Files\SSL\openssl.cnf” exists.
Whenever the above conditions are present, node.exe will search for providers.dll in the current user directory. After that, node.exe will try to search for providers.dll by the DLL Search Order in Windows.
It is possible for an attacker to place the malicious file providers.dll under a variety of paths and exploit this vulnerability.
More details will be available at CVE-2022-32223 after publication.
Thank you to Yakir Kadkoda from Aqua Security for reporting this vulnerability.
Impacts:
- All versions of the 16.x, and 14.x releases lines.
Note:
- This is a breaking change that has been made to the v14.x, v16.x, and v18.x releases lines.
Node.js can use an OpenSSL configuration file by specifying the environment variable OPENSSL_CONF, or using the command line option --openssl-conf, and if none of those are specified will default to reading the default OpenSSL configuration file openssl.cnf. Node.js will only read a section that is by default named nodejs_conf.
If your installation was using the default openssl.cnf file and is affected by this breaking change you can fall back to the previous behavior by:
- Adding --openssl-shared-config to the command line (Node.js 18.5.0 only); or
- Creating a new nodejs_conf section in that file and copying the contents of the default section into the new nodejs_conf section.
When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn’t exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.
Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.
Impacts:
- Node.js 18.x
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
Impacts:
- All versions of the 18.x, 16.x, and 14.x releases lines.
Downloads and release details
- Node.js v14.20.0 (LTS)
- Node.js v16.16.0 (LTS)
- Node.js v18.5.0 (Current)
The Node.js Security Releases will be available on, or shortly after, Thursday, July 7th, 2022.
With respect to the vulnerabilities in the OpenSSL Security releases of Jul 5th 2022 affects Node.js v18.x, v16.x, and v14.x.
- Node.js is affected by one MODERATE vulnerability on Windows 32-Bit x86.
The security release will be delayed so that we can incorporate the the updated OpenSSL versions. We will post another update once we have an updated target for the release date.
Our assessment of the security advisory is:
This vulnerability affects OpenSSL 3.0.4 users. However, Node.js has not shipped any version that used OpenSSL 3.0.4. Therefore, Node.js is not affected.
This vulnerability affects Windows 32-Bit x86 users using AES OCB encryption. The serverity is MODERATE.
The OpenSSL versions 1.1.1q and 3.0.5 will be released July, 5th 2022. The announcement can be found here: https://mta.openssl.org/pipermail/openssl-announce/2022-July/000229.html
The Node.js team will evaluate the OpenSSL changes when they are available and then announce the new target date by Thursday or earlier.
The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address:
- Three medium severity issues.
- Two high severity issues.
The 18.x release line of Node.js is vulnerable to three medium severity issues and one high severity issues.
The 16.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.
The 14.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.
Releases will be available on, or shortly after, Tuesday, July 5th, 2022.
However, when details of the OpenSSL defects are released on the 5th, our team will be making a more detailed assessment on the likely severity for Node.js users.
The OpenSSL release may delay the Node.js release date. See OpenSSL Security Release
Please monitor the nodejs-sec Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release: https://groups.google.com/forum/#!forum/nodejs-sec
The current Node.js security policy can be found at https://nodejs.org/en/security/. Please follow the process outlined in https://github.com/nodejs/node/blob/main/SECURITY.md if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.
Related news
Gentoo Linux Security Advisory 202405-29 - Multiple vulnerabilities have been discovered in Node.js. Versions greater than or equal to 16.20.2 are affected.
Ubuntu Security Notice 6418-1 - It was discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to cause a denial of service. This issue was only fixed in Ubuntu 20.04 LTS. VÃt Å esták discovered that Node.js incorrectly handled certain inputs. If a user or an automated system were tricked into opening a specially crafted input file, a remote attacker could possibly use this issue to execute arbitrary code.
Vulnerability in the Oracle Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u361, 8u361-perf, 11.0.18, 17.0.6; Oracle GraalVM Enterprise Edition: 20.3.9, 21.3.5 and 22.3.1. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all Oracle Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability can also be exploited by using APIs in the specified Component, e.g., through...
Debian Linux Security Advisory 5326-1 - Multiple vulnerabilities were discovered in Node.js, which could result in HTTP request smuggling, bypass of host IP address validation and weak randomness setup.
Vulnerability in the Oracle Demantra Demand Management product of Oracle Supply Chain (component: E-Business Collections). Supported versions that are affected are 12.1 and 12.2. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Demantra Demand Management. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Demantra Demand Management accessible data. CVSS 3.1 Base Score 7.5 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N).
Red Hat Security Advisory 2022-6985-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.
Vulnerability in the Oracle Web Applications Desktop Integrator product of Oracle E-Business Suite (component: Upload). Supported versions that are affected are 12.2.3-12.2.11. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Web Applications Desktop Integrator. Successful attacks of this vulnerability can result in takeover of Oracle Web Applications Desktop Integrator. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8.4 Extended Update Support. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32212: nodejs: DNS rebinding in --inspect via invalid IP addresses * CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding * CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimiting of header fields * CVE-2022-32215: nodejs: HTTP request smuggling due to incorrec...
Red Hat Security Advisory 2022-6595-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
An update for nodejs and nodejs-nodemon is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-7788: nodejs-ini: Prototype pollution via malicious INI file * CVE-2020-28469: nodejs-glob-parent: Regular expression denial of service * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2021-33502: nodejs-normalize-url: ReDoS for data URLs * CVE-2022-29244: nodejs: npm pac...
Red Hat Security Advisory 2022-6448-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.
Red Hat Security Advisory 2022-6449-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include HTTP request smuggling and denial of service vulnerabilities.
An update for the nodejs:16 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2021-3807: nodejs-ansi-regex: Regular expression denial of service (ReDoS) matching ANSI escape codes * CVE-2022-32212: nodejs: DNS rebinding in --inspect via invalid IP addresses * CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding * CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimiting...
An update for the nodejs:14 module is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32212: nodejs: DNS rebinding in --inspect via invalid IP addresses * CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding * CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimiting of header fields * CVE-2022-32215: nodejs: HTTP request smuggling due to incorrect parsing of multi-line Tr...
OpenHarmony-v3.1.2 and prior versions have a heap overflow vulnerability. Local attackers can trigger a heap overflow and get network sensitive information.
Red Hat Security Advisory 2022-6389-01 - Node.js is a software development platform for building fast and scalable network applications in the JavaScript programming language. Issues addressed include a HTTP request smuggling vulnerability.
An update for rh-nodejs14-nodejs and rh-nodejs14-nodejs-nodemon is now available for Red Hat Software Collections. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32212: nodejs: DNS rebinding in --inspect via invalid IP addresses * CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding * CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimiting of header fields * CVE-2022-32215: nodejs: HTTP request smuggling due to inc...
A OS Command Injection vulnerability exists in Node.js versions <14.20.0, <16.20.0, <18.5.0 due to an insufficient IsAllowedHost check that can easily be bypassed because IsIPAddress does not properly check if an IP address is invalid before making DBS requests allowing rebinding attacks.
The llhttp parser in the http module in Node.js does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
All security issues have been patched – update now
All security issues have been patched – update now
All security issues have been patched – update now
All security issues have been patched – update now
All security issues have been patched – update now
All security issues have been patched – update now
IBM Cognos Analytics 11.1.7, 11.2.0, and 11.1.7 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 211240.
Vulnerability in the Oracle Database Enterprise Edition Unified Audit component of Oracle Database Server. Supported versions that are affected are 12.1.0.2, 12.2.0.1 and 19c. Easily exploitable vulnerability allows high privileged attacker having Local Logon privilege with network access via Oracle Net to compromise Oracle Database Enterprise Edition Unified Audit. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Database Enterprise Edition Unified Audit accessible data. CVSS 3.1 Base Score 2.7 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N).
Vulnerability in the Java SE, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Library). Supported versions that are affected are Java SE: 7u301, 8u291, 11.0.11, 16.0.1; Oracle GraalVM Enterprise Edition: 20.3.2 and 21.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Java SE, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. This vulnerability does not apply to Java deployments, typically i...
Vulnerability in the Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Libraries). Supported versions that are affected are Java SE: 7u291, 8u281, 11.0.10, 16; Java SE Embedded: 8u281; Oracle GraalVM Enterprise Edition: 19.3.5, 20.3.1.2 and 21.0.0.2. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability applies to Java deployments that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 5.3 (Integrity impacts). CV...
Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: DML). Supported versions that are affected are 5.7.33 and prior. Easily exploitable vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.9 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H).