Skip to content

Blog: OpenSSL January 2017 #1114

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jan 27, 2017
Merged

Blog: OpenSSL January 2017 #1114

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions locale/en/blog/vulnerability/openssl-january-2017.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
date: 2017-01-27T11:49:06.146Z
category: vulnerability
title: OpenSSL update, 1.0.2k
slug: openssl-january-2017
layout: blog-post.hbs
author: Rod Vagg
---

The OpenSSL project has [announced](https://mta.openssl.org/pipermail/openssl-announce/2017-January/000092.html) the immediate availability of OpenSSL version 1.0.2k.

Although the OpenSSL team have determined a maximum severity rating of "moderate", the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu and Fedor Indutny) have determined the impact to Node users is "low". Details on this determination can be found below.

We will therefore be scheduling releases of all active release lines (7 "Current", 6 "LTS Boron", 4 "LTS Argon") on Tuesday the 31st of January. As releases are made, they will appear on the [nodejs.org news feed](http://nodejs.org/en/blog/) and this post will also be updated with details.

## Node.js Impact Assessment

### [CVE-2017-3731](https://www.openssl.org/news/vulnerabilities.html#2017-3731): Truncated packet could crash via OOB read

This is a moderate severity flaw in OpenSSL. By default, Node.js disables RC4 so most users are not affected. As RC4 can be enabled programmatically, it is possible for a Node.js developer to craft code that may be vulnerable to this flaw. Any user activating RC4 in their codebase should prioritise this update.

All active versions of Node.js **are affected**, but the severity is very low for most users.

### [CVE-2017-3730](https://www.openssl.org/news/vulnerabilities.html#2017-3730): Bad DHE and ECDHE parameters cause a client crash

Because this flaw only impacts OpenSSL 1.1.0 and no active Node.js release line currently bundles this version, Node.js is **not affected**.

### [CVE-2017-3732](https://www.openssl.org/news/vulnerabilities.html#2017-3732): BN_mod_exp may produce incorrect results on x86_64

As noted by the OpenSSL team, the likelihood of being able to craft a practical attack that uses this flaw is very low. In addition, Node.js enables `SSL_OP_SINGLE_DH_USE`, further decreasing the chance of a successful exploit of this vulnerability in a Node.js service.

All active versions of Node.js **are affected**, but the severity is very low for Node.js users.

### [CVE-2016-7055](https://www.openssl.org/news/vulnerabilities.html#2016-7055): Montgomery multiplication may produce incorrect results

Some calculations, when run on an Intel Broadwell or later CPU, can produce in erroneous results. This flaw has been previously discussed by the Node.js team [on GitHub](https://github.com/nodejs/node/issues/9594). It is not believed that practical attacks can be crafted to exploit this vulnerability except in very specific circumstances. Therefore this is a low severity flaw.

All active versions of Node.js **are affected**, but the severity is very low for Node.js users.