Bug 1525106 (CVE-2017-15896)

Summary: CVE-2017-15896 nodejs: Vulnerable to CVE-2017-3737 due to embedded OpenSSL
Product: [Other] Security Response Reporter: Andrej Nemec <anemec>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: alessandro.polidori, bleanhar, ccoleman, dedgar, dmcphers, jgoulding, jkeck, kseifried, mrunge, nodejs-sig, piotr1212, sgallagh, slawomir, tchollingsworth, thrcka, yozone, zsvetlik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: nodejs 9.2.1, nodejs 8.9.3, nodejs 6.12.2, nodejs 4.8.7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-02-27 00:52:56 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1525107, 1525108, 1525109    
Bug Blocks: 1525111    

Description Andrej Nemec 2017-12-12 15:50:22 UTC 
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

External References:

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Comment 1 Andrej Nemec 2017-12-12 15:51:29 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-6 [bug 1525107]
Affects: fedora-26 [bug 1525108]
Affects: openshift-1 [bug 1525109]
Comment 2 Tomas Hoger 2017-12-12 21:11:19 UTC 
The Fedora and EPEL trackers were immediately closed as notabug because of those versions using system OpenSSL rather than bundled.  However, it's not quite clear what this CVE is for.  Upstream advisory notes two problems affecting Node.js:

- Bundled OpenSSL affected by CVE-2017-3737 and fixed by upgrading to newer OpenSSL.  There is no reason to use new CVE for that, and the original OpenSSL CVE should be used in that context.

- A flaw in the http2 module, that is fixed in the Node.js code.  Presumably, this module performed SSL_read/SSL_write after handshake failure and hence triggering CVE-2017-3737 in OpenSSL.  Upstream advisory does not indicate if this fix is needed when when using patched OpenSSL.  This may be what CVE-2017-15896 is for.
Comment 3 Stephen Gallagher 2017-12-12 21:21:30 UTC 
For what it's worth, the newest upstream release of all affected streams of Fedora and EPEL are already in the updates queue. I had built them and submitted them within an hour of the upstream release. So if you want to reopen those BZs, I can add them to the errata I suppose.