fixup!

nodejs · Jul 8, 2022 · b73efff · b73efff
1 parent c9d1a75
commit b73efff
Showing 1 changed file with 23 additions and 18 deletions.
diff --git a/doc/changelogs/CHANGELOG_V18.md b/doc/changelogs/CHANGELOG_V18.md
@@ -46,40 +46,45 @@ This is a security release.
 
 ### Notable changes
 
+The following CVEs are fixed in this release:
+
+* **[CVE-2022-2097](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-2097)**: OpenSSL - AES OCB fails to encrypt some bytes (Medium)
+* **[CVE-2022-32212]()**: DNS rebinding in --inspect via invalid IP addresses (High)
+* **[CVE-2022-32213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32213)**: HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)
+* **[CVE-2022-32214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214)**: HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)()
+* **[CVE-2022-32215](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215)**: HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)
+* **[CVE-2022-32222](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32222)**: Attempt to read openssl.cnf from /home/iojs/build/ upon startup (Medium)
+* **[CVE-2022-32223](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32223)**: DLL Hijacking on Windows (High)
+
+More detailed information on each of the vulnerabilities can be found in [July 7th 2022 Security Releases](https://nodejs.org/en/blog/vulnerability/july-2022-security-releases/) blog post.
+
 #### llhttp updated to 6.0.7
 
-`llhttp` is updated to 6.0.7 which includes fixes for the following vulnerabilities:
+`llhttp` is updated to 6.0.7 which includes fixes for the following vulnerabilities.
 
 * **HTTP Request Smuggling - Flawed Parsing of Transfer-Encoding (Medium)([CVE-2022-32213](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214) )**: The `llhttp` parser in the `http` module does not correctly parse and validate Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
 * **HTTP Request Smuggling - Improper Delimiting of Header Fields (Medium)([CVE-2022-32214](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32214))**: The `llhttp` parser in the `http` module does not strictly use the CRLF sequence to delimit HTTP requests. This can lead to HTTP Request Smuggling. **Note**: This is can be considered a breaking change due to disabling LF header delimiting.
 * **HTTP Request Smuggling - Incorrect Parsing of Multi-line Transfer-Encoding (Medium)([CVE-2022-32215](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32215))**: The `llhttp` parser in the `http` module does not correctly handle multi-line Transfer-Encoding headers. This can lead to HTTP Request Smuggling (HRS).
 
-Some of these fixes required breaking changes, so you may be imapcted by this update.
+Some of these fixes required breaking changes, so you may be impacted by this update.
+
+#### Default OpenSSL Configuration
 
-#### DLL Hijacking on Windows (High)(CVE-2022-32223)
+To resolve **[CVE-2022-32223](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32223)**: DLL Hijacking on Windows (High), changes were made to how Node.js loads OpenSSL configuration by default.
 
-This vulnerability can be exploited if the victim has the following dependencies on Windows machine:
+**[CVE-2022-32223](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-32223)** could be exploited if the victim has the following dependencies on Windows machine:
 * OpenSSL has been installed and `C:\Program Files\Common Files\SSL\openssl.cnf` exists.
 
-Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory. After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows. It is possible for an attacker to place the malicious file `providers.dll` under a variety of paths and exploit this vulnerability.
+Whenever the above conditions are present, `node.exe` will search for `providers.dll` in the current user directory. After that, `node.exe` will try to search for `providers.dll` by the DLL Search Order in Windows. An attacker can place the malicious file `providers.dll` under a variety of paths to exploit this vulnerability.
 
-This is a breaking change. Node.js can use an OpenSSL configuration file by specifying the environment variable `OPENSSL_CONF`, or using the command line option `--openssl-conf`, and if none of those are specified will default to reading the default OpenSSL configuration file `openssl.cnf`.
+Node.js can use an OpenSSL configuration file by specifying the environment variable `OPENSSL_CONF`, or using the command-line option `--openssl-conf`, and if none of those are specified will default to reading the default OpenSSL configuration file `openssl.cnf`.
 
-From this release, Node.js will only read a section that is by default named `nodejs_conf`. If you were reading the share section of the `openssl.cnf`, you may be affected by this change. You can fall back to the previous behavior by:
+From this release, Node.js will only read a section that is, by default, named `nodejs_conf`. If you were previously relying on the configuration specified in the shared section of the `openssl.cnf` file, you may be affected by this change. You can fall back to the previous behavior to read the default section by:
 
-* Adding `--openssl-shared-config` to the command line; or
+* Specifying the `--openssl-shared-config` command-line flag; or
 * Creating a new `nodejs_conf` section in that file and copying the contents of the default section into the new `nodejs_conf` section.
 
-Attempt to read `openssl.cnf` from /home/iojs/build/ upon startup (Medium)(CVE-2022-32222)
-When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.
-
-Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.
-
-#### OpenSSL - AES OCB fails to encrypt some bytes (Medium)(CVE-2022-2097)
-
-AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised implementation will not encrypt the entirety of the data under some circumstances. This could reveal sixteen bytes of data that was preexisting in the memory that wasn't written. In the special case of "in place" encryption, sixteen bytes of the plaintext would be revealed.
-
-Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, they are both unaffected.
+Note that when specifying `--openssl-shared-config` or defining `nodejs_conf` in your `openssl.cnf`, you should be cautious and review your configuration as it could lead to you being vulnerable to similar DLL exploit attacks.
 
 ### Commits