Bug 1194512 (CVE-2021-44532)

Summary: VUL-0: CVE-2021-44532: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Certificate Verification Bypass via String Injection
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Adam Majer <amajer>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv3.1:SUSE:CVE-2021-44532:5.9:(AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2022-01-11 07:59:25 UTC
Certificate Verification Bypass via String Injection (Medium)(CVE-2021-44532)

Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints.

Versions of Node.js with the fix for this escape SANs containing the problematic characters in order to prevent the injection. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44532 after publication.

This vulnerability was reported by Google.

Impacts:

    All versions of the 17.x, 16.x, 14.x, and 12.x releases lines.

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Comment 1 OBSbugzilla Bot 2022-01-12 09:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1194512) was mentioned in
https://build.opensuse.org/request/show/945772 Factory / nodejs16
Comment 4 Swamp Workflow Management 2022-01-18 14:39:15 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-01-18 17:20:03 UTC
SUSE-SU-2022:0114-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.3-6.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-01-18 17:22:55 UTC
SUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.9-4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-01-18 17:25:27 UTC
openSUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
Comment 8 Swamp Workflow Management 2022-01-18 17:29:25 UTC
openSUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
Comment 9 Swamp Workflow Management 2022-01-18 17:30:53 UTC
SUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.3-15.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-04-13 19:26:08 UTC
openSUSE-SU-2022:0112-1: An update that fixes 35 vulnerabilities is now available.

Category: security (important)
Bug References: 1194511,1194512,1194513,1194514,1197680,1198053,1198361
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-1125,CVE-2022-1127,CVE-2022-1128,CVE-2022-1129,CVE-2022-1130,CVE-2022-1131,CVE-2022-1132,CVE-2022-1133,CVE-2022-1134,CVE-2022-1135,CVE-2022-1136,CVE-2022-1137,CVE-2022-1138,CVE-2022-1139,CVE-2022-1141,CVE-2022-1142,CVE-2022-1143,CVE-2022-1144,CVE-2022-1145,CVE-2022-1146,CVE-2022-1232,CVE-2022-1305,CVE-2022-1306,CVE-2022-1307,CVE-2022-1308,CVE-2022-1309,CVE-2022-1310,CVE-2022-1311,CVE-2022-1312,CVE-2022-1313,CVE-2022-1314,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
openSUSE Backports SLE-15-SP3 (src):    chromium-100.0.4896.88-bp153.2.82.1
Comment 12 Swamp Workflow Management 2022-04-17 19:17:37 UTC
openSUSE-SU-2022:0113-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514,1198204
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824,CVE-2022-24191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
openSUSE Backports SLE-15-SP3 (src):    htmldoc-1.9.12-bp153.2.9.1