# July 7th 2022 Security Releases
By Rafael Gonzaga, 2022-07-07
## _(Update 07-July-2022)_ Security releases available
Updates are now available for the v18.x, v16.x, and v14.x Node.js release lines for the following issues.
## HTTP Request Smuggling – Flawed Parsing of Transfer-Encoding (Medium)(CVE-2022-32213)
The `llhttp` parser in the `http` module does not correctly parse and validate `Transfer-Encoding` headers. This can lead to HTTP Request Smuggling (HRS).
More details will be available at [CVE-2022-32213]() after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
* All versions of the 18.x, 16.x, and 14.x releases lines.
* `llhttp` v6.0.7 and `llhttp` v2.1.5 contains the fixes that were updated inside Node.js
## HTTP Request Smuggling – Improper Delimiting of Header Fields (Medium)(CVE-2022-32214)
The `llhttp` parser in the `http` module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).
More details will be available at [CVE-2022-32214]() after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
* All versions of the 18.x, 16.x, and 14.x releases lines.
* `llhttp` v6.0.7 and `llhttp` v2.1.5 contains the fixes that were updated inside Node.js
## HTTP Request Smuggling – Incorrect Parsing of Multi-line Transfer-Encoding (Medium)(CVE-2022-32215)
The `llhttp` parser in the `http` module does not correctly handle multi-line `Transfer-Encoding` headers. This can lead to HTTP Request Smuggling (HRS).
More details will be available at [CVE-2022-32215]() after publication.
Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.
Impacts:
* All versions of the 18.x, 16.x, and 14.x releases lines.
* `llhttp` v6.0.7 and `llhttp` v2.1.5 contains the fixes that were updated inside Node.js
## DNS rebinding in –inspect via invalid IP addresses (High)(CVE-2022-32212)
The `IsAllowedHost` check can easily be bypassed because `IsIPAddress` does not properly check if an IP address is invalid or not. When an invalid IPv4 address is provided (for instance 10.0.2.555 is provided), browsers (such as Firefox) will make DNS requests to the DNS server, providing a vector for an attacker-controlled DNS server or a MITM who can spoof DNS responses to perform a rebinding attack and hence connect to the WebSocket debugger, allowing for arbitrary code execution. This is a bypass of CVE-2021-22884.
More details will be available at [CVE-2022-32212]() after publication.
Thank you to Axel Chong for reporting this vulnerability.
Impacts:
* All versions of the 18.x, 16.x, and 14.x releases lines.
## DLL Hijacking on Windows (High)(CVE-2022-32223)
This vulnerability can be exploited if the victim has the following dependencies on Windows machine:
* OpenSSL has been installed and âC:Program FilesCommon FilesSSLopenssl.cnfâ exists.
Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory. After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows.
It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
More details will be available at [CVE-2022-32223]() after publication.
Thank you to Yakir Kadkoda from Aqua Security for reporting this vulnerability.
Impacts:
* All versions of the 16.x, and 14.x releases lines.
Note:
* This is a breaking change that has been made to the v14.x, v16.x, and v18.x releases lines.
Node.js can use an OpenSSL configuration file by specifying the environment variable `OPENSSL_CONF`, or using the command line option `–openssl-conf`, and if none of those are specified will default to reading the default OpenSSL configuration file `openssl.cnf`. **Node.js will only read a section that is by default named `nodejs_conf`**.
If your installation was using the default `openssl.cnf` file and is affected by this breaking change you can fall back to the previous behavior by:
* Adding `–openssl-shared-config` to the command line (Node.js 18.5.0 only); or
* Creating a new `nodejs_conf` section in that file and copying the contents of the default section into the new `nodejs_conf` section.
## Attempt to read `openssl.cnf` from `/home/iojs/build/` upon startup (Medium)(CVE-2022-32222)
When Node.js starts on linux based systems, it attempts to read `/home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf`, which ordinarily doesn’t exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.
Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.
Impacts:
* Node.js 18.x
## OpenSSL – AES OCB fails to encrypt some bytes (Medium)(CVE-2022-2097)
AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn’t written. In the special case of “in place” encryption, sixteen bytes of the plaintext would be revealed.
Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
Impacts:
* All versions of the 18.x, 16.x, and 14.x releases lines.
## Downloads and release details
* [Node.js v14.20.0 (LTS)]()
* [Node.js v16.16.0 (LTS)]()
* [Node.js v18.5.0 (Current)]()
* * *
## (Update 07-Jul-2022) Security Release target July 7th
The Node.js Security Releases will be available on, or shortly after, Thursday, July 7th, 2022.
## (Update 05-Jul-2022) OpenSSL Security Release Assessement
With respect to the vulnerabilities in the OpenSSL Security releases of Jul 5th 2022 affects Node.js v18.x, v16.x, and v14.x.
* Node.js is affected by **one** MODERATE vulnerability on Windows 32-Bit x86.
The security release will be delayed so that we can incorporate the the updated OpenSSL versions. We will post another update once we have an updated target for the release date.
### Analysis
Our assessment of the [security advisory]() is:
#### Heap memory corruption with RSA private key operation (CVE-2022-2274) (HIGH)
This vulnerability affects OpenSSL 3.0.4 users. However, Node.js has not shipped any version that used OpenSSL 3.0.4. Therefore, Node.js is not affected.
#### AES OCB fails to encrypt some bytes (CVE-2022-2097) (MODERATE)
This vulnerability affects Windows 32-Bit x86 users using `AES OCB` encryption. The serverity is MODERATE.
## (Update 04-Jul-2022) OpenSSL Security Release
The OpenSSL versions 1.1.1q and 3.0.5 will be released July, 5th 2022. The announcement can be found here:
The Node.js team will evaluate the OpenSSL changes when they are available and then announce the new target date by Thursday or earlier.
# Summary
The Node.js project will release new versions of the 14.x, 16.x, and 18.x releases lines on or shortly after Tuesday, July 5th, 2022 in order to address:
* Three medium severity issues.
* Two high severity issues.
## Impact
The 18.x release line of Node.js is vulnerable to three medium severity issues and one high severity issues.
The 16.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.
The 14.x release line of Node.js is vulnerable to three medium severity issues and two high severity issues.
## Release timing
Releases will be available on, or shortly after, Tuesday, July 5th, 2022.
However, when details of the OpenSSL defects are released on the 5th, our team will be making a more detailed assessment on the likely severity for Node.js users.
The OpenSSL release may delay the Node.js release date. See OpenSSL Security Release
Please monitor the **nodejs-sec** Google Group for updates, including a decision within 24 hours after the OpenSSL release regarding release timing, and full details of the defects upon eventual release:
## Contact and future updates
The current Node.js security policy can be found at . Please follow the process outlined in [https://github.com/nodejs/node/blob/main/SECURITY.md]() if you wish to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.Read More
References
Back to Main