Red Hat Bugzilla – Bug 1525106
CVE-2017-15896 nodejs: Vulnerable to CVE-2017-3737 due to embedded OpenSSL
Last modified: 2018-02-26 19:52:56 EST
Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. External References: https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-6 [bug 1525107] Affects: fedora-26 [bug 1525108] Affects: openshift-1 [bug 1525109]
The Fedora and EPEL trackers were immediately closed as notabug because of those versions using system OpenSSL rather than bundled. However, it's not quite clear what this CVE is for. Upstream advisory notes two problems affecting Node.js: - Bundled OpenSSL affected by CVE-2017-3737 and fixed by upgrading to newer OpenSSL. There is no reason to use new CVE for that, and the original OpenSSL CVE should be used in that context. - A flaw in the http2 module, that is fixed in the Node.js code. Presumably, this module performed SSL_read/SSL_write after handshake failure and hence triggering CVE-2017-3737 in OpenSSL. Upstream advisory does not indicate if this fix is needed when when using patched OpenSSL. This may be what CVE-2017-15896 is for.
For what it's worth, the newest upstream release of all affected streams of Fedora and EPEL are already in the updates queue. I had built them and submitted them within an hour of the upstream release. So if you want to reopen those BZs, I can add them to the errata I suppose.