Skip to content

mTLS client verification is skipped in Node.js TLS server

Moderate
ChristopherDavenport published GHSA-2cpx-6pqp-wf35 Jul 26, 2022

Package

maven co.fs2:fs2-io_sjs1_2.12 (Maven)

Affected versions

< 3.2.11

Patched versions

3.2.11
maven co.fs2:fs2-io_sjs1_2.13 (Maven)
< 3.2.11
3.2.11
maven co.fs2:fs2-io_sjs1_3 (Maven)
< 3.2.11
3.2.11

Description

Impact

When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.

The vulnerability is limited to:

  1. fs2-io running on Node.js. The JVM TLS implementation is completely independent.
  2. TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API.
  3. mTLS as enabled via requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets.

It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.

Patches

A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised.

Workarounds

If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.

References

For more information

If you have any questions or comments about this advisory:

Severity

Moderate

CVE ID

CVE-2022-31183

Weaknesses