Bug 1212580 (CVE-2023-30586)

Summary: VUL-0: CVE-2023-30586: nodejs20: OpenSSL engines can be used to bypass the permission model
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/370084/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Robert Frohl 2023-06-21 11:50:11 UTC 
OpenSSL engines can be used to bypass the permission model (Medium) (CVE-2023-30586)

Node.js 20 allows loading arbitrary OpenSSL engines when the experimental permission model is enabled, which can bypass and/or disable the permission model.

The crypto.setEngine() API can be used to bypass the permission model when called with a compatible OpenSSL engine. The OpenSSL engine can, for example, disable the permission model in the host process by manipulating the process's stack memory to locate the permission model Permission::enabled_ in the host process's heap memory.

This vulnerability affects all users using the experimental permission model in Node.js 20.

Please note that at the time this CVE was issued, the permission model is an experimental feature of Node.js.

Thanks to Tobias Nießen for reporting this vulnerability and fixing it.

https://nodejs.org/en/blog/vulnerability/june-2023-security-releases
Comment 1 OBSbugzilla Bot 2023-06-21 12:45:14 UTC 
This is an autogenerated message for OBS integration:
This bug (1212580) was mentioned in
https://build.opensuse.org/request/show/1094364 Factory / nodejs20
Comment 2 Adam Majer 2023-08-04 15:09:21 UTC 
This should be fixed in all affected versions (nodejs20). Reassigning to security team for tracking
Comment 5 Andrea Mattiazzo 2024-05-24 10:39:05 UTC 
All done, closing.