Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. Affected versions of Node.js do not accept multi-value Relative Distinguished Names and are thus not vulnerable to such attacks themselves. However, third-party code that uses node's ambiguous presentation of certificate subjects may be vulnerable. Reference: https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Created nodejs tracking bugs for this issue: Affects: epel-7 [bug 2040861] Affects: fedora-all [bug 2040857] Created nodejs:12/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040858] Created nodejs:14/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040859] Created nodejs:16/nodejs tracking bugs for this issue: Affects: fedora-all [bug 2040860]
Upstream fix : https://github.com/nodejs/node/commit/a336444c7fb9fd1d0055481d84cdd57d7d569879
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:4914 https://access.redhat.com/errata/RHSA-2022:4914
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-44533
This issue has been addressed in the following products: Red Hat Software Collections for Red Hat Enterprise Linux 7 Via RHSA-2022:7044 https://access.redhat.com/errata/RHSA-2022:7044
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:7830 https://access.redhat.com/errata/RHSA-2022:7830
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:9073 https://access.redhat.com/errata/RHSA-2022:9073
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:1742 https://access.redhat.com/errata/RHSA-2023:1742
This issue has been addressed in the following products: RHODF-4.13-RHEL-9 Via RHSA-2023:3742 https://access.redhat.com/errata/RHSA-2023:3742