OpenSSL 3.0.7 update assessment

Rafael Gonzaga

Rafael Gonzaga

Summary

The vulnerability in the OpenSSL Security Advisory of Dec 13 2022 do not affect any active Node.js release lines.

Analysis

Our assessment of the security advisory is:

X.509 Policy Constraints Double Locking (CVE-2022-3996)

Node.js doesn't call OpenSSL as a separate process (so the possibility to use the -policy flag is invalid), nor call the functions X509_VERIFY_PARAM_add0_policy() and X509_VERIFY_PARAM_set1_policies(). Therefore, Node.js is not affected by this vulnerability.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.

마지막 업데이트
2022년 12월 16일
읽는 데 걸리는 시간
1 min read
기여하기
Edit this page
목차
  1. Summary
  2. Analysis
  3. X.509 Policy Constraints Double Locking (CVE-2022-3996)
  4. Contact and future updates