Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 643556 (CVE-2017-15896, CVE-2017-15897) - <net-libs/nodejs-8.9.3: Multiple vulnerabilities
Summary: <net-libs/nodejs-8.9.3: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: CVE-2017-15896, CVE-2017-15897
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B4 [noglsa cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2018-01-05 15:00 UTC by GLSAMaker/CVETool Bot
Modified: 2019-10-26 20:37 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2018-01-05 15:00:58 UTC
CVE-2017-15897 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15897):
  Node.js had a bug in versions 8.X and 9.X which caused buffers to not be
  initialized when the encoding for the fill value did not match the encoding
  specified. For example, 'Buffer.alloc(0x100, "This is not correctly
  encoded", "hex");' The buffer implementation was updated such that the
  buffer will be initialized to all zeros in these cases.

CVE-2017-15896 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15896):
  Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to
  the use of SSL_read() due to TLS handshake failure. The result was that an
  active network attacker could send application data to Node.js using the TLS
  or HTTP2 modules in a way that bypassed TLS authentication and encryption.


@Maintainer could you confirm if we are affected? If that's the case please let us know when tree is clean.

Thank you
Comment 1 D'juan McDonald (domhnall) 2019-06-24 02:13:28 UTC
https://groups.google.com/forum/#!searchin/nodejs-sec/CVE-2017-15896%7Csort:date/nodejs-sec/7iTRVIR2Yl4/03ELEyGFAQAJ

Data Confidentiality/Integrity Vulnerability - CVE-2017-15896

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

- The original HTTP module was not affected.

- The vulnerability in the HTTP2 module (which only existing in the 8.X and 9.X lines) was [[fixed through nodejs/node@f3686f2.]] HTTP2 was previously exploitable through the submission of malicious data by an attacker.

- The vulnerability in the TLS module was fixed by incorporating OpenSSL-1.0.2n into Node.js. We are not currently aware of any exploits but it was previously at a severe security risk of accepting unauthenticated data. See this advisory from OpenSSL for more details on the fixes in OpenSSL-1.0.2n https://www.openssl.org/news/secadv/20171207.txt.

- The HTTPS module was not affected.

This vulnerability has been assigned CVE-2017-15896.

We would like to thank Matt Caswell (OpenSSL) and David Benjamin (Google) for reporting this.

Uninitialized buffer vulnerability - CVE-2017-15897

Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example, 'Buffer.alloc(0x100, "This is not correctly encoded", "hex");' The buffer implementation was updated such that the buffer will be initialized to all zeros in these cases.

Versions 4.X and 6.X were not vulnerable.

The severity of this information disclosure vulnerability was low (due to the combination of coding errors that need to have been made in order to make it exploitable) and it has been assigned CVE-2017-15897.

Also included in OpenSSL update - CVE 2017-3738

Note that CVE 2017-3738 of OpenSSL-1.0.2 affected Node but it was low severity as described in https://www.openssl.org/news/secadv/20171207.txt.
Comment 2 Thomas Deutschmann (RETIRED) gentoo-dev 2019-10-26 20:37:52 UTC
GLSA Vote: No!

All done, repository is clean!