Bug 1201325 - (CVE-2022-32213) VUL-0: CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing of Transfer-Encoding
(CVE-2022-32213)
VUL-0: CVE-2022-32213: nodejs: HTTP request smuggling due to flawed parsing o...
Status: REOPENED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/336529/
CVSSv3.1:SUSE:CVE-2022-32213:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-08 10:22 UTC by Carlos López
Modified: 2023-02-01 12:06 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-07-08 10:22:24 UTC
CVE-2022-32213

The llhttp parser in the http module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32213 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
Comment 1 Carlos López 2022-07-11 08:50:53 UTC
The upstream commit does not mention this CVE but CVE-2022-32212, but I think it's a typo.
main: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a
16.x: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60
14.x: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd

Library patch:
main: https://github.com/nodejs/llhttp/commit/4b9b57d9a62ae6bc6f31a8a485ca58a9f090493f
2.1.x: https://github.com/nodejs/llhttp/commit/cc6b967e7fe849d3916b905fd0d41225b3e0c929 (used by nodejs12 and nodejs14)

Hard to tell if nodejs10 and older are affected since they do not use llhttp, but http_parser, which is unmaintained.
Comment 6 Swamp Workflow Management 2022-07-15 19:16:58 UTC
SUSE-SU-2022:2415-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192489,1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.16.0-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-07-15 19:17:48 UTC
SUSE-SU-2022:2416-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.20.0-6.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-07-15 19:22:44 UTC
SUSE-SU-2022:2417-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1201099,1201325,1201326,1201327,1201328
CVE References: CVE-2022-2097,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-07-18 10:24:05 UTC
SUSE-SU-2022:2425-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.20.0-150200.15.34.1
openSUSE Leap 15.3 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Server 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Proxy 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Enterprise Storage 7 (src):    nodejs14-14.20.0-150200.15.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-07-18 19:16:47 UTC
SUSE-SU-2022:2430-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.35.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Server 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Proxy 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Enterprise Storage 7 (src):    nodejs12-12.22.12-150200.4.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-07-21 16:20:25 UTC
SUSE-SU-2022:2491-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.16.0-150400.3.3.2
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.16.0-150400.3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-07-26 16:25:04 UTC
SUSE-SU-2022:2551-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192489,1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.16.0-150300.7.6.2
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.16.0-150300.7.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-08-19 19:22:17 UTC
SUSE-SU-2022:2855-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1188917,1189368,1191601,1191602,1201325,1201326,1201327,1201328
CVE References: CVE-2021-22930,CVE-2021-22940,CVE-2021-22959,CVE-2021-22960,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.47.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Robert Frohl 2022-08-25 14:24:56 UTC
done, closing
Comment 18 Adam Majer 2022-09-28 11:09:13 UTC
Re-opening as the fix was incomplete.

llhttp needs update to 2.1.6

https://github.com/nodejs/node/commit/a9f1146b88
Comment 19 Adam Majer 2022-09-28 11:10:03 UTC
This incomplete fix also affects newer nodejs versions. See,

https://nodejs.org/en/blog/vulnerability/september-2022-security-releases/
Comment 20 OBSbugzilla Bot 2022-09-28 14:25:02 UTC
This is an autogenerated message for OBS integration:
This bug (1201325) was mentioned in
https://build.opensuse.org/request/show/1006689 Factory / nodejs18
https://build.opensuse.org/request/show/1006690 Factory / nodejs16
Comment 24 OBSbugzilla Bot 2022-09-29 15:35:02 UTC
This is an autogenerated message for OBS integration:
This bug (1201325) was mentioned in
https://build.opensuse.org/request/show/1006992 Factory / nodejs18
Comment 25 Swamp Workflow Management 2022-10-04 13:31:08 UTC
SUSE-SU-2022:3503-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2022-10-04 16:20:30 UTC
SUSE-SU-2022:3516-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.20.1-6.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2022-10-05 13:19:23 UTC
SUSE-SU-2022:3524-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.17.1-8.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 28 Swamp Workflow Management 2022-10-18 16:20:56 UTC
SUSE-SU-2022:3614-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.20.1-150200.15.37.1
openSUSE Leap 15.3 (src):    nodejs14-14.20.1-150200.15.37.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.20.1-150200.15.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2022-10-18 16:22:40 UTC
SUSE-SU-2022:3615-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.17.1-150300.7.12.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.17.1-150300.7.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Swamp Workflow Management 2022-10-18 16:25:48 UTC
SUSE-SU-2022:3616-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.38.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.38.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 31 Swamp Workflow Management 2022-10-19 16:26:54 UTC
SUSE-SU-2022:3656-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201327,1203831,1203832
CVE References: CVE-2022-32213,CVE-2022-32215,CVE-2022-35255,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.17.1-150400.3.9.1
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.17.1-150400.3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 32 Swamp Workflow Management 2022-11-01 14:18:58 UTC
SUSE-SU-2022:3835-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1201325,1203832
CVE References: CVE-2022-32213,CVE-2022-35256
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.50.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.