OpenSSL and zlib update assessment, and Node.js Assessment workflow
Rafael Gonzaga
Summary
The vulnerability in the OpenSSL Security release of Oct 11 2022 does not affect any active Node.js release lines, as well as the zlib vulnerability (CVE-2022-37434) patched on the zlib Security release of Oct 13 2022, does not affect Node.js.
Analysis OpenSSL
Our assessment of the security advisory is:
Using a Custom Cipher with NID_undef may lead to NULL encryption (CVE-2022-3358)
Node.js doesn't call EVP_CIPHER_meth_new(NID_undef, ...). Therefore, Node.js is not affected by this vulnerability.
Analysis zlib
Our assessment of the CVE-2022-37434 is:
Buffer overflow in inflate via a large gzip header extra field
Node.js doesn't call inflateGetHeader. Therefore, Node.js is not affected by this vulnerability.
Further information, see: nodejs-dependency-vuln-assessments#50.
Node.js Vulnerability Assessment workflow
The Node.js Security team created an automated workflow that aims to address all the public CVE of Node.js dependencies.
This initiative aims to reduce the gap between a dependency security release and a Node.js assessment. The repository is available at nodejs/nodejs-dependency-vuln-assessments, and the assessments are made through the issues.
Ensure to watch the repository if you are interested in security patches.
Contact and future updates
The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js.
Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the Node.js GitHub organization.