Bug 1993039 (CVE-2021-22939) - CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter
Summary: CVE-2021-22939 nodejs: Incomplete validation of tls rejectUnauthorized parameter
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-22939
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1993040 1993041 1993042 1993043 1993044 1993045 1993046 1993047 1993808 1993809 1993810 1993811 1993812 1993813 1993963 1993966 1993989 1993990 1993991 1993998
Blocks: 1993049
TreeView+ depends on / blocked
 
Reported: 2021-08-12 09:53 UTC by Dhananjay Arunesh
Modified: 2022-04-17 21:33 UTC (History)
16 users (show)

Fixed In Version: nodejs 12.22.5, nodejs 14.17.5, nodejs 16.6.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Node.js. If the Node.js HTTPS API is used incorrectly and "undefined" is passed for the "rejectUnauthorized" parameter, no error is returned, and the connections to servers with an expired certificate are accepted. The highest threat from this vulnerability is to integrity.
Clone Of:
Environment:
Last Closed: 2021-08-26 15:35:26 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2021:3400 0 None None None 2021-08-31 20:51:24 UTC
Red Hat Product Errata RHBA-2021:3478 0 None None None 2021-09-09 12:33:06 UTC
Red Hat Product Errata RHBA-2021:4731 0 None None None 2021-11-18 10:45:19 UTC
Red Hat Product Errata RHSA-2021:3280 0 None None None 2021-08-26 10:19:05 UTC
Red Hat Product Errata RHSA-2021:3281 0 None None None 2021-08-26 10:15:39 UTC
Red Hat Product Errata RHSA-2021:3623 0 None None None 2021-09-21 13:13:01 UTC
Red Hat Product Errata RHSA-2021:3638 0 None None None 2021-09-22 09:01:11 UTC
Red Hat Product Errata RHSA-2021:3639 0 None None None 2021-09-22 08:51:52 UTC
Red Hat Product Errata RHSA-2021:3666 0 None None None 2021-09-27 07:29:19 UTC

Description Dhananjay Arunesh 2021-08-12 09:53:28 UTC 
If the Node.js https API was used incorrectly and "undefined" was in passed for the "rejectUnauthorized" parameter, no error was returned and connections to servers with an expired certificate would have been accepted.

References:
https://nodejs.org/en/blog/vulnerability/aug-2021-security-releases/
Comment 1 Dhananjay Arunesh 2021-08-12 09:54:55 UTC 
Created nodejs tracking bugs for this issue:

Affects: epel-7 [bug 1993040]
Affects: fedora-all [bug 1993041]


Created nodejs:10/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993042]


Created nodejs:12/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993043]


Created nodejs:13/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993044]


Created nodejs:14/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993045]


Created nodejs:15/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993046]


Created nodejs:16/nodejs tracking bugs for this issue:

Affects: fedora-all [bug 1993047]
Comment 2 Tomas Hoger 2021-08-12 10:53:17 UTC 
Upstream commit:

https://github.com/nodejs/node/commit/6c7fff6f1d53dfb6c2b184ee41809b8d7614cb80

It links the following hackerone report, which has not been made public yet:

https://hackerone.com/reports/1278254
Comment 5 errata-xmlrpc 2021-08-26 10:15:37 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3281 https://access.redhat.com/errata/RHSA-2021:3281
Comment 6 errata-xmlrpc 2021-08-26 10:19:04 UTC 
This issue has been addressed in the following products:

  Red Hat Software Collections for Red Hat Enterprise Linux 7
  Red Hat Software Collections for Red Hat Enterprise Linux 7.7 EUS

Via RHSA-2021:3280 https://access.redhat.com/errata/RHSA-2021:3280
Comment 7 Product Security DevOps Team 2021-08-26 15:35:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-22939
Comment 8 errata-xmlrpc 2021-09-21 13:12:59 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3623 https://access.redhat.com/errata/RHSA-2021:3623
Comment 9 errata-xmlrpc 2021-09-22 08:51:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.1 Extended Update Support

Via RHSA-2021:3639 https://access.redhat.com/errata/RHSA-2021:3639
Comment 10 errata-xmlrpc 2021-09-22 09:01:08 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2021:3638 https://access.redhat.com/errata/RHSA-2021:3638
Comment 11 errata-xmlrpc 2021-09-27 07:29:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:3666 https://access.redhat.com/errata/RHSA-2021:3666
Note You need to log in before you can comment on or make changes to this bug.