Bug 1194511 - (CVE-2021-44531) VUL-0: CVE-2021-44531: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Improper handling of URI Subject Alternative Names
(CVE-2021-44531)
VUL-0: CVE-2021-44531: nodejs10,nodejs12,nodejs14,nodejs16,nodejs: Improper h...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adam Majer
Security Team bot
CVSSv3.1:SUSE:CVE-2021-44531:5.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-01-11 07:57 UTC by Robert Frohl
Modified: 2022-04-17 19:17 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Robert Frohl 2022-01-11 07:57:58 UTC
Improper handling of URI Subject Alternative Names (Medium)(CVE-2021-44531)

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.

Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

More details will be available at CVE-2021-44531 after publication.

This vulnerability was reported by Google.

Impacts:

    All versions of the 17.x, 16.x, 14.x, and 12.x releases lines.

https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
Comment 1 OBSbugzilla Bot 2022-01-12 09:50:03 UTC
This is an autogenerated message for OBS integration:
This bug (1194511) was mentioned in
https://build.opensuse.org/request/show/945772 Factory / nodejs16
Comment 4 Swamp Workflow Management 2022-01-18 14:39:11 UTC
SUSE-SU-2022:0101-1: An update that fixes 11 vulnerabilities is now available.

Category: security (important)
Bug References: 1190053,1190054,1190055,1190056,1190057,1191601,1191602,1194511,1194512,1194513,1194514
CVE References: CVE-2021-22959,CVE-2021-22960,CVE-2021-37701,CVE-2021-37712,CVE-2021-37713,CVE-2021-39134,CVE-2021-39135,CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.9-1.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-01-18 17:19:59 UTC
SUSE-SU-2022:0114-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.18.3-6.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-01-18 17:22:51 UTC
SUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.9-4.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-01-18 17:25:22 UTC
openSUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
Comment 8 Swamp Workflow Management 2022-01-18 17:29:20 UTC
openSUSE-SU-2022:0113-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
Comment 9 Swamp Workflow Management 2022-01-18 17:30:48 UTC
SUSE-SU-2022:0112-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.18.3-15.24.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-04-13 19:26:03 UTC
openSUSE-SU-2022:0112-1: An update that fixes 35 vulnerabilities is now available.

Category: security (important)
Bug References: 1194511,1194512,1194513,1194514,1197680,1198053,1198361
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-1125,CVE-2022-1127,CVE-2022-1128,CVE-2022-1129,CVE-2022-1130,CVE-2022-1131,CVE-2022-1132,CVE-2022-1133,CVE-2022-1134,CVE-2022-1135,CVE-2022-1136,CVE-2022-1137,CVE-2022-1138,CVE-2022-1139,CVE-2022-1141,CVE-2022-1142,CVE-2022-1143,CVE-2022-1144,CVE-2022-1145,CVE-2022-1146,CVE-2022-1232,CVE-2022-1305,CVE-2022-1306,CVE-2022-1307,CVE-2022-1308,CVE-2022-1309,CVE-2022-1310,CVE-2022-1311,CVE-2022-1312,CVE-2022-1313,CVE-2022-1314,CVE-2022-21824
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs14-14.18.3-15.24.1
openSUSE Backports SLE-15-SP3 (src):    chromium-100.0.4896.88-bp153.2.82.1
Comment 12 Swamp Workflow Management 2022-04-17 19:17:32 UTC
openSUSE-SU-2022:0113-1: An update that fixes 5 vulnerabilities is now available.

Category: security (moderate)
Bug References: 1194511,1194512,1194513,1194514,1198204
CVE References: CVE-2021-44531,CVE-2021-44532,CVE-2021-44533,CVE-2022-21824,CVE-2022-24191
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs12-12.22.9-4.25.1
openSUSE Backports SLE-15-SP3 (src):    htmldoc-1.9.12-bp153.2.9.1