Bug 1201326 - (CVE-2022-32214) VUL-0: CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimiting of header fields
(CVE-2022-32214)
VUL-0: CVE-2022-32214: nodejs: HTTP request smuggling due to improper delimit...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Adam Majer
Security Team bot
https://smash.suse.de/issue/336531/
CVSSv3.1:SUSE:CVE-2022-32214:6.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-08 10:23 UTC by Carlos López
Modified: 2023-01-26 16:06 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Carlos López 2022-07-08 10:23:59 UTC
CVE-2022-32214

The llhttp parser in the http module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling (HRS).

More details will be available at CVE-2022-32214 after publication.

Thank you to Zeyu Zhang (@zeyu2001) for reporting this vulnerability.

Impacts:

All versions of the 18.x, 16.x, and 14.x releases lines.
llhttp v6.0.7 and llhttp v2.1.5 contains the fixes that were updated inside Node.js
Comment 1 Carlos López 2022-07-11 08:55:04 UTC
main: https://github.com/nodejs/node/commit/d9b71f4c241fa31cc2a48331a4fc28c15937875a
16.x: https://github.com/nodejs/node/commit/1da22eb48254f8c2d5f3c5865bb9f46e8b09ec60
14.x: https://github.com/nodejs/node/commit/da0fda0fe81d372e24c0cb11aec37534985708dd

Library patch:
main: https://github.com/nodejs/llhttp/commit/4b9b57d9a62ae6bc6f31a8a485ca58a9f090493f
2.1.x: https://github.com/nodejs/llhttp/commit/cc6b967e7fe849d3916b905fd0d41225b3e0c929 (used by nodejs12 and nodejs14)

As with the other two CVEs fixed with the same commit, it's hard to tell if nodejs10 and older are affected since they do not use llhttp, but http_parser, which is unmaintained.
Comment 4 Swamp Workflow Management 2022-07-15 19:17:03 UTC
SUSE-SU-2022:2415-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192489,1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs16-16.16.0-8.6.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Swamp Workflow Management 2022-07-15 19:17:53 UTC
SUSE-SU-2022:2416-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs14-14.20.0-6.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2022-07-15 19:22:48 UTC
SUSE-SU-2022:2417-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1201099,1201325,1201326,1201327,1201328
CVE References: CVE-2022-2097,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Web Scripting 12 (src):    nodejs12-12.22.12-1.51.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2022-07-18 10:24:09 UTC
SUSE-SU-2022:2425-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs14-14.20.0-150200.15.34.1
openSUSE Leap 15.3 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Server 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Manager Proxy 4.1 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs14-14.20.0-150200.15.34.1
SUSE Enterprise Storage 7 (src):    nodejs14-14.20.0-150200.15.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-07-18 19:16:51 UTC
SUSE-SU-2022:2430-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs12-12.22.12-150200.4.35.1
openSUSE Leap 15.3 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Server 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Manager Proxy 4.1 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs12-12.22.12-150200.4.35.1
SUSE Enterprise Storage 7 (src):    nodejs12-12.22.12-150200.4.35.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-07-21 16:20:30 UTC
SUSE-SU-2022:2491-1: An update that fixes four vulnerabilities is now available.

Category: security (important)
Bug References: 1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs16-16.16.0-150400.3.3.2
SUSE Linux Enterprise Module for Web Scripting 15-SP4 (src):    nodejs16-16.16.0-150400.3.3.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-07-26 16:25:09 UTC
SUSE-SU-2022:2551-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1192489,1201325,1201326,1201327,1201328
CVE References: CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    nodejs16-16.16.0-150300.7.6.2
SUSE Linux Enterprise Module for Web Scripting 15-SP3 (src):    nodejs16-16.16.0-150300.7.6.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2022-08-19 19:22:22 UTC
SUSE-SU-2022:2855-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1188917,1189368,1191601,1191602,1201325,1201326,1201327,1201328
CVE References: CVE-2021-22930,CVE-2021-22940,CVE-2021-22959,CVE-2021-22960,CVE-2022-32212,CVE-2022-32213,CVE-2022-32214,CVE-2022-32215
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    nodejs10-10.24.1-150000.1.47.1
openSUSE Leap 15.3 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Retail Branch Server 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Manager Proxy 4.1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server for SAP 15 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise Server 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 7 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE Enterprise Storage 6 (src):    nodejs10-10.24.1-150000.1.47.1
SUSE CaaS Platform 4.0 (src):    nodejs10-10.24.1-150000.1.47.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Robert Frohl 2022-08-25 14:24:23 UTC
done, closing