Bug 1845247 (CVE-2020-8172)
| Summary: | CVE-2020-8172 nodejs: TLS session reuse can lead to hostname verification bypass | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Guilherme de Almeida Suckevicz <gsuckevi> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | bdettelb, hhorak, jorton, jschorr, lmorse, mrunge, nodejs-maint, nodejs-sig, scorneli, security-response-team, sgallagh, tchollingsworth, thrcka, tomckay, zsvetlik |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | nodejs-12.18.0, nodejs-14.4.0 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A TLS Hostname verification bypass vulnerability exists in NodeJS. This flaw allows an attacker to bypass TLS Hostname verification when a TLS client reuses HTTPS sessions.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-07-07 13:27:48 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1845248, 1845249, 1845250, 1845251, 1845252, 1845253, 1845254, 1845687, 1845688, 1845689, 1845690, 1845691, 1845692, 1845708, 1845709, 1851456 | ||
| Bug Blocks: | 1845265 | ||
|
Description
Guilherme de Almeida Suckevicz
2020-06-08 18:57:02 UTC
Created nodejs tracking bugs for this issue: Affects: epel-all [bug 1845254] Affects: fedora-all [bug 1845248] Created nodejs:10/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1845249] Created nodejs:11/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1845250] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1845251] Created nodejs:13/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1845252] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 1845253] Upstream commits: https://github.com/nodejs/node/commit/2e1b41a708a71ee127a5db9c750760f74db494e4 https://github.com/nodejs/node/commit/0932309af2d9d66611cf5387f2cc925a80cb441f The impact of this vulnerability was reduced to moderate because of the challenges faced by an attacker trying to exploit this vulnerability. In addition to only being able to thwart HTTPS requests which reuse an existing HTTPS session, they would need to be in a privileged network position, such as on the same Wifi network in order to serve malicious HTTPS requests in place of legitimate ones. Statement: This issue only affects the TLS 1.2 protocol, not TLS 1.3. This issue does not affect NodeJS 10. Red Hat Quay installed NodeJS as a dependency of Yarn. It does not use NodeJS at runtime, but executes Javascript on the client's browser instead. Therefore the impact of this vulnerability on Red Hat Quay is low. What is the ETA for this fix with RHEL 8 and NodeJS 12? We have a release deadline for July and this CVE is needed. This issue has been addressed in the following products: Red Hat Enterprise Linux 8.1 Extended Update Support Via RHSA-2020:2847 https://access.redhat.com/errata/RHSA-2020:2847 This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:2852 https://access.redhat.com/errata/RHSA-2020:2852 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-8172 This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Red Hat Software Collections for Red Hat Enterprise Linux 7.6 EUS Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS Via RHSA-2020:2895 https://access.redhat.com/errata/RHSA-2020:2895 |