Bug 1180553 - (CVE-2020-8265) VUL-0: CVE-2020-8265: nodejs10,nodejs12,nodejs14,nodejs15: use-after-free in TLSWrap
(CVE-2020-8265)
VUL-0: CVE-2020-8265: nodejs10,nodejs12,nodejs14,nodejs15: use-after-free in ...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-01-05 09:05 UTC by Robert Frohl
Modified: 2021-09-03 18:38 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments
poc (10.00 KB, application/x-tar)
2021-01-11 15:35 UTC, Adam Majer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2021-01-05 09:05:15 UTC
use-after-free in TLSWrap (High) (CVE-2020-8265)

Affected Node.js versions are vulnerable to a use-after-free bug in its TLS implementation. When writing to a TLS enabled socket, node::StreamBase::Write calls node::TLSWrap::DoWrite with a freshly allocated WriteWrap object as first argument. If the DoWrite method does not return an error, this object is passed back to the caller as part of a StreamWriteResult structure. This may be exploited to corrupt memory leading to a Denial of Service or potentially other exploits.

Impacts:

    All versions of the 15.x, 14.x, 12.x and 10.x releases lines

Thank you to Felix Wilhelm from Google Project Zero for reporting this vulnerability.

https://nodejs.org/en/blog/vulnerability/january-2021-security-releases/
Comment 1 OBSbugzilla Bot 2021-01-05 09:50:12 UTC
This is an autogenerated message for OBS integration:
This bug (1180553) was mentioned in
https://build.opensuse.org/request/show/860411 Factory / nodejs10
Comment 2 OBSbugzilla Bot 2021-01-05 11:30:11 UTC
This is an autogenerated message for OBS integration:
This bug (1180553) was mentioned in
https://build.opensuse.org/request/show/860426 Factory / nodejs12
https://build.opensuse.org/request/show/860436 Factory / nodejs14
Comment 3 Adam Majer 2021-01-05 13:30:49 UTC
Fix patch at

https://github.com/nodejs/node/commit/7f178663eb

Reproducer at,

https://github.com/nodejs/node/commit/357e2857c8

This does not trigger for me on any of the released versions. Investigating.
Comment 5 Adam Majer 2021-01-11 15:35:45 UTC
Created attachment 844997 [details]
poc

Unfortunately, the upstream test case does not trigger the issue but unwinding it into 2 processes results in a reproducer.

The poc is from test-tls-use-after-free-regression.js

To reproduce:

  valgrind --trace-children=yes node server.js

And then to trigger,

  node poc.js

Triggers on vulnerable node10+. node8 does not trigger.
Comment 6 Swamp Workflow Management 2021-01-11 17:18:13 UTC
SUSE-SU-2021:0061-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1178882,1180553,1180554
CVE References: CVE-2020-8265,CVE-2020-8277,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs14-14.15.4-5.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2021-01-11 17:20:54 UTC
SUSE-SU-2021:0068-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.20.1-1.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2021-01-11 17:27:24 UTC
SUSE-SU-2021:0062-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1178882,1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8277,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs12-12.20.1-4.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2021-01-11 17:28:45 UTC
SUSE-SU-2021:0060-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.23.1-1.30.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.23.1-1.30.1
SUSE Linux Enterprise Module for Web Scripting 15-SP2 (src):    nodejs10-10.23.1-1.30.1
SUSE Linux Enterprise Module for Web Scripting 15-SP1 (src):    nodejs10-10.23.1-1.30.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.23.1-1.30.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.23.1-1.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-01-12 17:19:17 UTC
SUSE-SU-2021:0082-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs10-10.23.1-1.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-01-13 14:31:03 UTC
SUSE-SU-2021:0107-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1180553,1180554
CVE References: CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.15.4-6.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2021-01-15 14:20:05 UTC
openSUSE-SU-2021:0064-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1178882,1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8277,CVE-2020-8287
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs12-12.20.1-lp152.3.9.1
Comment 13 Swamp Workflow Management 2021-01-15 14:24:49 UTC
openSUSE-SU-2021:0065-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs10-10.23.1-lp152.2.9.1
Comment 14 Swamp Workflow Management 2021-01-15 14:28:14 UTC
openSUSE-SU-2021:0066-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1178882,1180553,1180554
CVE References: CVE-2020-8265,CVE-2020-8277,CVE-2020-8287
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    nodejs14-14.15.4-lp152.5.1
Comment 15 Swamp Workflow Management 2021-01-16 14:39:31 UTC
openSUSE-SU-2021:0082-1: An update that fixes three vulnerabilities is now available.

Category: security (moderate)
Bug References: 1179491,1180553,1180554
CVE References: CVE-2020-1971,CVE-2020-8265,CVE-2020-8287
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    nodejs10-10.23.1-lp151.2.15.1