OpenSSL update, 1.0.2m

Rod Vagg

(Update 8-Nov-2017) Node.js Releases

Releases were made available for active lines yesterday, each including the OpenSSL 1.0.2m update. As we have not categorized these strictly as security releases they also contain other minor fixes and additions as per our regular release procedures.

While we don't consider OpenSSL 1.0.2m a critical update, you should make plans to upgrade your deployments as soon as practical.

(Update 2-Nov-2017) Node.js Impact Assessment & Release Plan

The following impact assessment for Node.js of the flaws fixed in OpenSSL 1.0.2m has been provided by Shigeki Ohtsu from our crypto team. Original details about the announcement from the OpenSSL team can be found below.

CVE-2017-3735: OOB read parsing IPAdressFamily in an X.509 certificate

CVE-2017-3735 fixes buffer over-read in parsing X.509 certificates using extensions defined in RFC3779.

Node.js disables RFC3779 support by defining OPENSSL_NO_RFC3779 during compile. It is therefore unlikely that Node.js is impacted in any way by this vulnerability.

CVE-2017-3736: Carry propagating bug in the x86_64 Montgomery squaring procedure

CVE-2017-3736 fixes a carry propagating bug in the x86*64 _Montgomery squaring* procedure.

Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against Diffie-Hellman are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent Diffie-Hellman parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.

CVE-2017-3736 impacts Node.js users but the likelihood of successful attack using the flaw is very low and we therefore deem it to be non-critical.

Additional fixes

OpenSSL 1.0.2m also includes two additional fixes that do not have a CVE assigned to them.

  1. A side channel attack of ECDSA which appears too difficult to execute and can only obtain limited information about a private key.
  2. A fix for TLS servers with SNI enabled. Node.js does not use SSL_set_SSL_CTX in this context so is not impacted.

Release plan

Due to the low impact and low severity of these fixes, we have decided not to push urgent releases of Node.js this week. Releases of all active release lines are scheduled for next Tuesday, the 7th of November and these releases will all include OpenSSL 1.0.2m along with other regular Node.js patches and additions.

Our active release lines are:

  • Node.js 4 LTS "Argon" (Maintenance LTS)
  • Node.js 6 LTS "Boron" (Active LTS)
  • Node.js 8 LTS "Carbon" (Active LTS)
  • Node.js 9 (Current)

We will include an update here once all releases are made available.

Original post is included below


The OpenSSL project has announced (also see their correction) that they will be releasing versions 1.1.0g and 1.0.2m this week, on Thursday the 2nd of November 2017, UTC. The releases will fix one "low severity security issue" and one "moderate level security issue". "Moderate" level security issues for OpenSSL:

... includes issues like crashes in client applications, flaws in protocols that are less commonly used (such as DTLS), and local flaws.

Note that Node.js currently does not support or bundle OpenSSL 1.1.0, so we will focus entirely on 1.0.2m in this release.

Information about the "low" severity security issue is already public:

Malformed X.509 IPAddressFamily could cause OOB read (CVE-2017-3735)

If an X.509 certificate has a malformed IPAddressFamily extension, OpenSSL could do a one-byte buffer overread. The most likely result would be an erroneous display of the certificate in text format.

As this is a low severity fix, no release is being made. The fix can be found in the source repository (1.0.2, 1.1.0, and master branches); see https://github.com/openssl/openssl/pull/4276. This bug has been present since 2006.

At this stage, due to embargo, it is uncertain what the nature of the "moderate" severity fix is, nor what impact it will have on Node.js users, if any. We will proceed as follows:

Within approximately 24 hours of the OpenSSL 1.0.2m release, our crypto team will make an impact assessment for Node.js users. This information may vary depending for the different active release lines and will be posted here.

As part of that impact assessment we will announce our release plans for each of the active release lines to take into account any impact. Please be prepared for the possibility of important updates to Node.js 4 "Argon", Node.js 6 "Boron", Node.js 8 "Carbon" and Node.js 9 (Current) as soon as Friday, the 3rd of November, 2017.

If our assessment concludes that the OpenSSL "moderate" security issue has very low impact for Node.js users, the Node.js release team may decide to bundle this OpenSSL upgrade with the regular, planned Node.js releases for both LTS and Current release lines and not proceed with special security releases.

Please monitor the nodejs-sec Google Group for updates, including an impact assessment and updated details on release timing within approximately 24 hours after the OpenSSL release: https://groups.google.com/forum/#!forum/nodejs-sec

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security.

Please contact [email protected] if you wish to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.