1201330 – (CVE-2022-32222) VUL-0: CVE-2022-32222: nodejs: potential openssl.cnf hijack

Bug 1201330 (CVE-2022-32222) - VUL-0: CVE-2022-32222: nodejs: potential openssl.cnf hijack

Summary: VUL-0: CVE-2022-32222: nodejs: potential openssl.cnf hijack

Status:	RESOLVED INVALID

Alias:	CVE-2022-32222

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P5 - None Severity: Normal
Target Milestone:	---
Assignee:	Adam Majer
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/336539
Whiteboard:	CVSSv3.1:SUSE:CVE-2022-32222:6.8:(AV:...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2022-07-08 10:31 UTC by Carlos López
Modified:	2022-07-08 11:01 UTC (History)
CC List:	0 users

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Carlos López 2022-07-08 10:31:09 UTC

CVE-2022-32222

When Node.js starts on linux based systems, it attempts to read /home/iojs/build/ws/out/Release/obj.target/deps/openssl/openssl.cnf, which ordinarily doesn't exist. On some shared systems an attacker may be able create this file and therefore affect the default OpenSSL configuration for other users.

Thank you to Michael Scovetta from the OpenSSF Alpha-Omega project for reporting this vulnerability.

Impacts:

Node.js 18.x

Comment 1 Carlos López 2022-07-08 11:01:33 UTC

Only relevant for 18.x, which we do not ship. Closing.