Improper validation of certificate with host mismatch in Node.js

#VU59549 Improper validation of certificate with host mismatch in Node.js

Published: 2022-01-12

Vulnerability identifier: #VU59549

Vulnerability risk: Medium

CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2021-44532

CWE-ID: CWE-297

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Node.js
Server applications / Web servers

Vendor: Node.js Foundation

Description

The vulnerability allows a remote attacker to perform spoofing attack.

The vulnerability exists due to improper validation of certificates, when converting SANs (Subject Alternative Names) to a string format. A remote attacker can inject special characters into the string and perform spoofing attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Node.js: 17.3.0, 17.2.0, 17.1.0, 17.0.0 - 17.0.1, 16.13.0 - 16.13.1, 16.12.0, 16.11.0 - 16.11.1, 16.10.0, 16.9.0 - 16.9.1, 16.8.0, 16.7.0, 16.6.0 - 16.6.2, 16.5.0, 16.4.0 - 16.4.2, 16.3.0, 16.2.0, 16.1.0, 16.0.0, 15.14.0, 15.13.0, 15.12.0, 15.11.0, 15.10.0, 15.9.0, 15.8.0, 15.7.0, 15.6.0, 15.5.0 - 15.5.1, 15.4.0, 15.3.0, 15.2.0 - 15.2.1, 15.1.0, 15.0.0 - 15.0.1, 14.18.0 - 14.18.2, 14.17.0 - 14.17.6, 14.16.0 - 14.16.1, 14.15.0 - 14.15.5, 14.14.0, 14.13.0 - 14.13.1, 14.12.0, 14.11.0, 14.10.0 - 14.10.1, 14.9.0, 14.8.0, 14.7.0, 14.6.0, 14.5.0, 14.4.0, 14.3.0, 14.2.0, 14.1.0, 14.0.0, 13.14.0, 13.13.0, 13.12.0, 13.11.0, 13.10.0 - 13.10.1, 13.9.0, 13.8.0, 13.7.0, 13.6.0, 13.5.0, 13.4.0, 13.3.0, 13.2.0, 13.1.0, 13.0.0 - 13.0.1, 12.22.0 - 12.22.8, 12.21.0, 12.20.0 - 12.20.2, 12.19.0 - 12.19.1, 12.18.0 - 12.18.4, 12.17.0, 12.16.0 - 12.16.3, 12.15.0, 12.14.0 - 12.14.1, 12.13.0 - 12.13.1, 12.12.0, 12.11.0 - 12.11.1, 12.10.0, 12.9.0 - 12.9.1, 12.8.0 - 12.8.1, 12.7.0, 12.6.0, 12.5.0, 12.4.0, 12.3.0 - 12.3.1, 12.2.0, 12.1.0, 12.0.0

External links
http://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management Monitoring

Multiple vulnerabilities in Red Hat OpenShift Data Foundation 4.13

Multiple vulnerabilities in IBM Cloud Transformation Advisor

Red Hat Enterprise Linux 8.6 Extended Update Support update for the nodejs:14 module

Red Hat Enterprise Linux 8 update for the nodejs:16 module

Red Hat Enterprise Linux 8 update for the nodejs:14 module

Multiple vulnerabilities in IBM Cloud Pak for Watson AIOps Infrastructure Automation

Multiple vulnerabilities in Oracle Linux

Red Hat Software Collections update for rh-nodejs14-nodejs

Red Hat Enterprise Linux 8 update for the nodejs:12 module