GHSA-2cpx-6pqp-wf35

Source

https://github.com/advisories/GHSA-2cpx-6pqp-wf35

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-2cpx-6pqp-wf35/GHSA-2cpx-6pqp-wf35.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2cpx-6pqp-wf35

Aliases

CVE-2022-31183

Published

2022-07-29T22:24:10Z

Modified

2023-11-08T04:09:29.197851Z

Severity

9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Summary

fs2-io skips mTLS client verification

Details

Impact

When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.

The vulnerability is limited to: 1. fs2-io running on Node.js. The JVM TLS implementation is completely independent. 2. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API. 3. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets.

It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.

Patches

A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised.

Workarounds

If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

References

https://github.com/nodejs/node/issues/43994
https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/

For more information

If you have any questions or comments about this advisory: * Open an issue. * Contact the Typelevel Security Team.

References

Affected packages

Maven / co.fs2:fs2-io

Package

Name: co.fs2:fs2-io; View open source insights on deps.dev
Purl: pkg:maven/co.fs2/fs2-io

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1.0

Fixed

3.2.11