What is an SSL Security?
SSL is an abbreviation for Secure Sockets Layer, and it is the standard technology for keeping an internet connection secure and safeguarding any sensitive data that is sent between two systems, preventing criminals from reading and altering any data transferred, including potentially personal information. Data security would be the top priority for businesses to ensure the smooth execution of their processes.
Security updates for OpenSSL require updates for Node.js.
Upstream patches from OpenSSL are now available for Node.js versions 17.x, 16.x, 14.x, and 12.x.
On or shortly after Thursday, March 17th, 2022, the Node.js project will issue updated versions of the 12.x, 14.x, 16.x, and 17.x release lines to incorporate upstream updates from OpenSSL.
Contact information and upcoming updates
https://github.com/nodejs/node/blob/master/SECURITY.md contains the current Node.js security policy. If you want to report a vulnerability in Node.js, please follow the instructions given in the above link.
Why did Node.js hold off on applying a patch until OpenSSL’s security was upgraded?
The Node.js Foundation has released updates for all maintenance, long-term support, and stable releases of Node.js to fix two significant vulnerabilities, as promised.
The updates were disclosed a week ago and were supposed to be released earlier this week, but the Foundation delayed them to incorporate the latest OpenSSL version, which was also fixed this week. OpenSSL 1.0.1 is required for Node.js 0.10.x (Maintenance) and 0.12.x (LTS), while OpenSSL 1.0.2 is required for Node.js 4.x (LTS Argon) and 5.x.
The most recent versions of Node.js, 0.10.41 (Maintenance), 0.12.9 (LTS), 4.2.3 Argon (LTS), and 5.1.1 (Stable), include remedies for denial-of-service and out-of-bound access vulnerabilities, as well as the newest OpenSSL libraries. In a blog post, Rod Vagg, the technical steering committee director of the Node.js Foundation, stated.
The reality of open-source technology is shown by the Node.js Foundation’s decision to postpone changes to incorporate OpenSSL fixes. Maintainers must track issues in related libraries as well as weaknesses in their own code because there are so many dependencies across projects. According to Caleb Fenton, a security researcher with SourceClear, modern software development often contains only 10% unique code and 90% third-party libraries. It is the responsibility of the developer to ensure that the apps do not link to vulnerable libraries.
According to Vagg’s blog post, the Node.js vulnerabilities only affected the LTS and Stable editions.
The denial-of-service flaw (CVE-2015-8027) was related to HTTP pipelining and affected all versions of Node.js from v0.12.x to v5.x, inclusive. Because an external attacker may create those conditions and shut down the Node.js service operating on the targeted host, the Foundation graded the bug as serious.
” In some cases, an HTTP socket may no longer be associated with a parser, but a pipelined request can cause the non-existent parser to pause or resume, resulting inan uncaughtException,” Vagg noted.
Users of impacted Node.js versions who expose HTTP services should upgrade as soon as possible to the patched versions:
- Upgrade from Node.js 0.12.x to Node.js 0.12.9. (LTS).
- Upgrade to Node.js 4.2.3 Argon if you’re using Node.js 4.x, including LTS Argon (LTS).
- Node.js 5.x users should upgrade to 5.1.1. (Stable).
- Upgrade to Node.js 4.2.3 Argon if you’re using Node.js 4.x, including LTS Argon (LTS)
- Node.js 5.x users should upgrade to 5.1.1. (Stable)
OpenSSL issues have an influence on Node.js
Even if the above-mentioned vulnerabilities did not affect Node.js 0.10.x (Maintenance), users should nevertheless upgrade to the new Maintenance version because it relies on OpenSSL v.1.0.1. When presented with a faulty ASN.1 signature using the RSA PSS algorithm, the vulnerability in OpenSSL v1.0.1 and 1.0.2 (CVE-2015-3194) may cause a crash during certificate verification procedures. The issue might be used to launch a denial-of-service attack against Node.js TLS servers that require client authentication. If faulty certificates are submitted for verification, the Node.js TLS client will be affected as well.
The problem in OpenSSL 1.0.2’s Montgomery squaring technique also affects Node.js 4.x LTS 5.x. Attacks on RSA and DSA are possible, but “very tough,” and attacks on DHE key exchange are “possible but challenging.”
“Though it is believed that Node.js’ present use of SSL OP SINGLE DH USE may make DHE assaults unfeasible,” Vagg added, “Node.js TLS servers implementing DHE key exchange are deemed at highest risk.”
Spaghetti coding necessitates cooperation
Because developers only have to upgrade their libraries once, the Node.js Foundation did the right thing by delaying the release of Node.js to include the latest OpenSSL. It’s difficult enough to keep everyone up to date on patches; if the Foundation had issued the changes as planned, then released a new version a few days later with the corrected OpenSSL, it would have caused even more havoc. Some developers may miss the second update notification or be unaware of the consequences of using an outdated OpenSSL.
Many developers are unaware of all the components utilised in their apps, making it difficult to determine when a project’s vulnerability affects their code. They may know which libraries they’re calling, but not which further libraries those libraries contain, and the layering can be many layers deep. Some of the hidden libraries may never appear in the program’s dependency chain.
Open-source programming is interconnected and widely used. “A vulnerability could have a lot of’reach’ into programmes that are far away,” Fenton added. Each library maintainer, application developer, and everyone else in the chain is responsible for ensuring that the application contains updated code. Concentrating solely on known dependencies or the original code is shortsighted and does not contribute to overall programme security.
Technical Director, iFour Technolab Pvt. Ltd. A Seasoned technocrat with years of experience building technical solutions for various industries using Microsoft technologies. With a sharp understanding and technical acumen, he has delivered hundreds of Web, Cloud, Desktop, and Mobile solutions and is heading the technical department at an esteemed Microsoft 365 development company – iFour Technolab Pvt. Ltd.