Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

doc: openssl and zlib assessment #4892

Merged
merged 1 commit into from
Oct 25, 2022
Merged

doc: openssl and zlib assessment #4892

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
57 changes: 57 additions & 0 deletions locale/en/blog/vulnerability/openssl-and-zlib-vulnerability-assessment.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,57 @@
---
date: 2022-10-24T20:00:15.000Z
category: vulnerability
title: OpenSSL and zlib update assessment, and Node.js Assessment workflow
slug: openssl-and-zlib-vulnerability-assessment-oct2022
layout: blog-post.hbs
author: Rafael Gonzaga
---

## Summary

The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well
as the zlib vulnerability ([CVE-2022-37434][]) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.

## Analysis OpenSSL

Our assessment of the [security advisory](https://mta.openssl.org/pipermail/openssl-announce/2022-October/000236.html) is:

### Using a Custom Cipher with `NID_undef` may lead to NULL encryption (CVE-2022-3358)

Node.js doesn't call `EVP_CIPHER_meth_new(NID_undef, ...)`. Therefore, Node.js is not affected by this vulnerability.

## Analysis zlib

Our assessment of the [CVE-2022-37434][] is:

### Buffer overflow in inflate via a large gzip header extra field

Node.js doesn't call `inflateGetHeader`. Therefore, Node.js is not affected by this vulnerability.

Further information, see: [nodejs-dependency-vuln-assessments#50][].

## Node.js Vulnerability Assessment workflow

The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.

This initiative aims to reduce the gap between a dependency security release and a Node.js assessment.
The repository is available at [nodejs/nodejs-dependency-vuln-assessments][], and the assessments are made through the
issues.

Ensure to watch the repository if you are interested in security patches.

### Contact and future updates

The current Node.js security policy can be found at <https://github.com/nodejs/node/blob/HEAD/SECURITY.md#security>,
including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only **nodejs-sec** mailing list at
https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on
security vulnerabilities and security-related releases of Node.js and the
projects maintained in the
[Node.js GitHub organization][].

[CVE-2022-37434]: https://nvd.nist.gov/vuln/detail/CVE-2022-37434
[nodejs-dependency-vuln-assessments#50]: https://github.com/nodejs/nodejs-dependency-vuln-assessments/issues/50
[nodejs/nodejs-dependency-vuln-assessments]: https://github.com/nodejs/nodejs-dependency-vuln-assessments
[Node.js GitHub organization]: https://github.com/nodejs