CVE-2021-44531

Description

Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js < 12.22.9, < 14.18.3, < 16.13.2, and < 17.3.1 was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly.Versions of Node.js with the fix for this disable the URI SAN type when checking a certificate against a hostname. This behavior can be reverted through the --security-revert command-line option.

CVSS Metrics

• v3.1•HIGH•Score: 7.4CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
• v2.0•MEDIUM•Score: 5.8AV:N/AC:M/Au:N/C:P/I:P/A:N

EPSS Trends

Current EPSS score: 0.08%• Percentile: 23%

Techniques & Countermeasures

• CWE-295•Improper Certificate Validation

  The product does not validate, or incorrectly validates, a certificate.

Affected Systems

• nodejs•node

  ≥ 4.0, < 4.* | ≥ 5.0, < 5.* | ≥ 6.0, < 6.* | ≥ 7.0, < 7.* | ≥ 8.0, < 8.* | ≥ 9.0, < 9.* | ≥ 10.0, < 10.* | ≥ 11.0, < 11.* | ≥ 12.0, < 12.22.9 | ≥ 13.0, < 13.* | ≥ 14.0, < 14.18.3 | ≥ 15.0, < 15.* | ≥ 16.0, < 16.13.2 | ≥ 17.0, < 17.3.1

• nodejs•node.js

  < 12.22.9 | ≥ 14.0.0, < 14.18.3 | ≥ 16.0.0, < 16.13.2 | ≥ 17.0.0, < 17.3.1

• oracle•graalvm

  20.3.5 | 21.3.1 | 22.0.0.2

• oracle•mysql_cluster

  ≤ 8.0.29

• oracle•mysql_connectors

  ≤ 8.0.28

• oracle•mysql_enterprise_monitor

  ≤ 8.0.29

• oracle•mysql_server

  ≤ 5.7.37 | ≥ 8.0.0, ≤ 8.0.28

• oracle•mysql_workbench

  ≤ 8.0.28

• oracle•peoplesoft_enterprise_peopletools

  8.58 | 8.59

References (6)

• https://hackerone.com/reports/1429694
• https://nodejs.org/en/blog/vulnerability/jan-2022-security-releases/
• https://www.oracle.com/security-alerts/cpuapr2022.html
• https://security.netapp.com/advisory/ntap-20220325-0007/
• https://www.debian.org/security/2022/dsa-5170
• https://www.oracle.com/security-alerts/cpujul2022.html