|
| 1 | +--- |
| 2 | +date: 2022-10-24T17:00:15.000Z |
| 3 | +category: vulnerability |
| 4 | +title: OpenSSL and zlib update assessment, and Node.js Assessment workflow |
| 5 | +slug: openssl-and-zlib-vulnerability-assessment-oct2022 |
| 6 | +layout: blog-post.hbs |
| 7 | +author: Rafael Gonzaga |
| 8 | +--- |
| 9 | + |
| 10 | +## Summary |
| 11 | + |
| 12 | +The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well |
| 13 | +as the zlib vulnerability ([CVE-2022-37434][]) patched on the zlib Security release of Oct 13 2022, does not affect Node.js. |
| 14 | + |
| 15 | +## Analysis OpenSSL |
| 16 | + |
| 17 | +Our assessment of the [security advisory](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000236.html) is: |
| 18 | + |
| 19 | +### Using a Custom Cipher with `NID_undef` may lead to NULL encryption (CVE-2022-3358) |
| 20 | + |
| 21 | +Node.js doesn't call `EVP_CIPHER_meth_new(NID_undef, ...)`. Therefore, Node.js is not affected by this vulnerability. |
| 22 | + |
| 23 | +## Analysis zlib |
| 24 | + |
| 25 | +Our assessment of the [CVE-2022-37434][] is: |
| 26 | + |
| 27 | +### Buffer overflow in inflate via a large gzip header extra field |
| 28 | + |
| 29 | +Node.js doesn't call `inflateGetHeader`. Therefore, Node.js is not affected by this vulnerability. |
| 30 | + |
| 31 | +Further information, see: [nodejs-dependency-vuln-assessments#50][]. |
| 32 | + |
| 33 | +## Node.js Vulnerability Assessment workflow |
| 34 | + |
| 35 | +The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies. |
| 36 | + |
| 37 | +This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. |
| 38 | +The repository is available at [nodejs/nodejs-dependency-vuln-assessments][], and the assessments are made through the |
| 39 | +issues. |
| 40 | + |
| 41 | +Ensure to watch the repository if you are interested in security patches. |
| 42 | + |
| 43 | +### Contact and future updates |
| 44 | + |
| 45 | +The current Node.js security policy can be found at <https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security>, |
| 46 | +including information on how to report a vulnerability in Node.js. |
| 47 | + |
| 48 | +Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at |
| 49 | +https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on |
| 50 | +security vulnerabilities and security-related releases of Node.js and the |
| 51 | +projects maintained in the |
| 52 | +[Node.js GitHub organization][]. |
| 53 | + |
| 54 | +[CVE-2022-37434]: https://nvd.nist.gov/vuln/detail/CVE-2022-37434 |
| 55 | +[nodejs-dependency-vuln-assessments#50]: https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/50 |
| 56 | +[nodejs/nodejs-dependency-vuln-assessments]: https://github.com/nodejs/nodejs-dependency-vuln-assessments |
| 57 | +[Node.js GitHub organization]: https://github.com/nodejs |
| 58 | + |
0 commit comments