OpenSSL Recent Security Patches

Rafael Gonzaga

Summary

For the vulnerabilities disclosed in the OpenSSL Security Advisories of:

  • OpenSSL 3.0.11 - Tuesday 19th September 2023
  • OpenSSL 3.0.12 - Tuesday 24th October 2023

Node.js (Windows) is affected by one vulnerability rated as LOW. Therefore, these patches will be released in regular Node.js releases.

Analysis

Our assessment of the following security advisories:

is:

POLY1305 MAC implementation corrupts XMM registers on Windows (CVE-2023-4807) - Low

Node.js is affected by this vulnerability. The CVE-2023-4807 affects Windows users, and the vulnerability is rated as LOW by the OpenSSL Security Team.

Incorrect cipher key & IV length processing (CVE-2023-5363) - Moderate

Node.js doesn't make use or export EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() functions. Node.js is not affected.

Users who call the affected OpenSSL functions through other means, such as through native addons, can dynamically link against a patched version of OpenSSL until new releases of Node.js are available.

Contact and future updates

The current Node.js security policy can be found at https://github.com/nodejs/node/security/policy#security, including information on how to report a vulnerability in Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security vulnerabilities and security-related releases of Node.js and the projects maintained in the nodejs GitHub organization.