Vulnerabilities > CVE-2017-15896 - Unspecified vulnerability in Nodejs Node.Js

CVSS 9.1 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

NONE

network

low complexity

nodejs

critical

nessus

NVD

Published: 2017-12-11

Updated: 2022-08-16

Summary

Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption.

Vulnerable Configurations

Part	Description	Count
Application	Nodejs Nodejs Node.Js 4.0.0 Nodejs Node.Js 4.1.0 Nodejs Node.Js 4.1.1 Nodejs Node.Js 6.0.0 Nodejs Node.Js 6.1.0 Nodejs Node.Js 6.2.0 Nodejs Node.Js 6.2.1 Nodejs Node.Js 6.2.2 Nodejs Node.Js 6.3.0 Nodejs Node.Js 6.3.1 Nodejs Node.Js 6.4.0 Nodejs Node.Js 6.5.0 Nodejs Node.Js 6.6.0 Nodejs Node.Js 6.7.0 Nodejs Node.Js 6.8.0 Nodejs Node.Js 8.0.0 Nodejs Node.Js 8.1.0 Nodejs Node.Js 8.1.1 Nodejs Node.Js 8.1.2 Nodejs Node.Js 8.1.3 Nodejs Node.Js 8.1.4 Nodejs Node.Js 8.2.0 Nodejs Node.Js 8.2.1 Nodejs Node.Js 8.3.0 Nodejs Node.Js 8.4.0 Nodejs Node.Js 8.5.0 Nodejs Node.Js 8.6.0 Nodejs Node.Js 8.7.0 Nodejs Node.Js 8.8.0 Nodejs Node.Js 9.0.0 Nodejs Node.Js 9.1.0 Nodejs Node.Js 9.2.0 Nodejs Node.Js 8.9.0 Nodejs Node.Js 8.9.1 Nodejs Node.Js 8.9.2 Nodejs Node.Js 6.9.0 Nodejs Node.Js 6.9.1 Nodejs Node.Js 6.9.2 Nodejs Node.Js 6.9.3 Nodejs Node.Js 6.9.4 Nodejs Node.Js 6.9.5 Nodejs Node.Js 6.10.0 Nodejs Node.Js 6.10.1 Nodejs Node.Js 6.10.2 Nodejs Node.Js 6.10.3 Nodejs Node.Js 6.11.0 Nodejs Node.Js 6.11.1 Nodejs Node.Js 6.11.2 Nodejs Node.Js 6.11.3 Nodejs Node.Js 6.11.4 Nodejs Node.Js 6.11.5 Nodejs Node.Js 6.12.0 Nodejs Node.Js 6.12.1 Nodejs Node.Js 4.2.0 Nodejs Node.Js 4.2.1 Nodejs Node.Js 4.2.2 Nodejs Node.Js 4.2.3 Nodejs Node.Js 4.2.4 Nodejs Node.Js 4.2.5 Nodejs Node.Js 4.2.6 Nodejs Node.Js 4.3.0 Nodejs Node.Js 4.3.1 Nodejs Node.Js 4.3.2 Nodejs Node.Js 4.4.0 Nodejs Node.Js 4.4.1 Nodejs Node.Js 4.4.2 Nodejs Node.Js 4.4.3 Nodejs Node.Js 4.4.4 Nodejs Node.Js 4.4.5 Nodejs Node.Js 4.4.6 Nodejs Node.Js 4.4.7 Nodejs Node.Js 4.5.0 Nodejs Node.Js 4.6.0 Nodejs Node.Js 4.6.1 Nodejs Node.Js 4.6.2 Nodejs Node.Js 4.7.0 Nodejs Node.Js 4.7.1 Nodejs Node.Js 4.7.2 Nodejs Node.Js 4.7.3 Nodejs Node.Js 4.8.0 Nodejs Node.Js 4.8.1 Nodejs Node.Js 4.8.2 Nodejs Node.Js 4.8.3 Nodejs Node.Js 4.8.4 Nodejs Node.Js 4.8.5 Nodejs Node.Js 4.8.6	100

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0293-1.NASL
description	This update for nodejs6 fixes the following issues: Security issues fixed : - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322). - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value. - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64. - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242). - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058). Bug fixes : - Update to LTS release 6.12.2 (bsc#1072322): https://nodejs.org/en/blog/vulnerability/december-2017-s ecurity-releases/ - https://nodejs.org/en/blog/release/v6.12.2/ - https://nodejs.org/en/blog/release/v6.12.1/ - https://nodejs.org/en/blog/release/v6.12.0/ - https://nodejs.org/en/blog/release/v6.11.5/ - https://nodejs.org/en/blog/release/v6.11.4/ - https://nodejs.org/en/blog/release/v6.11.3/ - https://nodejs.org/en/blog/release/v6.11.2/ Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-24
modified	2019-01-02
plugin id	120014
published	2019-01-02
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/120014
title	SUSE SLES12 Security Update : nodejs6 (SUSE-SU-2018:0293-1)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-5.NASL
description	This update for nodejs4 fixes the following issues : Security issues fixed : - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322). - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value. - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64. - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242). - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058). Bug fixes : - Update to release 4.8.7 (bsc#1072322) : - https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ - https://nodejs.org/en/blog/release/v4.8.7/ - https://nodejs.org/en/blog/release/v4.8.6/ - https://nodejs.org/en/blog/release/v4.8.5/ This update was imported from the SUSE:SLE-12:Update update project.
last seen	2020-06-05
modified	2018-01-08
plugin id	105638
published	2018-01-08
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105638
title	openSUSE Security Update : nodejs4 (openSUSE-2018-5)

NASL family	SuSE Local Security Checks
NASL id	OPENSUSE-2018-116.NASL
description	This update for nodejs6 fixes the following issues : Security issues fixed : - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322). - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value. - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64. - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242). - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058). Bug fixes : - Update to LTS release 6.12.2 (bsc#1072322) : - https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/ - https://nodejs.org/en/blog/release/v6.12.2/ - https://nodejs.org/en/blog/release/v6.12.1/ - https://nodejs.org/en/blog/release/v6.12.0/ - https://nodejs.org/en/blog/release/v6.11.5/ - https://nodejs.org/en/blog/release/v6.11.4/ - https://nodejs.org/en/blog/release/v6.11.3/ - https://nodejs.org/en/blog/release/v6.11.2/ This update was imported from the SUSE:SLE-12:Update update project.
last seen	2020-06-05
modified	2018-02-01
plugin id	106547
published	2018-02-01
reporter	This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/106547
title	openSUSE Security Update : nodejs6 (openSUSE-2018-116)

NASL family	SuSE Local Security Checks
NASL id	SUSE_SU-2018-0002-1.NASL
description	This update for nodejs4 fixes the following issues: Security issues fixed : - CVE-2017-15896: Vulnerable to CVE-2017-3737 due to embedded OpenSSL (bsc#1072322). - CVE-2017-14919: Embedded zlib issue could cause a DoS via specific windowBits value. - CVE-2017-3738: Embedded OpenSSL is vulnerable to rsaz_1024_mul_avx2 overflow bug on x86_64. - CVE-2017-3736: Embedded OpenSSL is vulnerable to bn_sqrx8x_internal carry bug on x86_64 (bsc#1066242). - CVE-2017-3735: Embedded OpenSSL is vulnerable to malformed X.509 IPAdressFamily that could cause OOB read (bsc#1056058). Bug fixes : - Update to release 4.8.7 (bsc#1072322): https://nodejs.org/en/blog/vulnerability/december-2017-s ecurity-releases/ - https://nodejs.org/en/blog/release/v4.8.7/ - https://nodejs.org/en/blog/release/v4.8.6/ - https://nodejs.org/en/blog/release/v4.8.5/ Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-03-24
modified	2019-01-02
plugin id	120012
published	2019-01-02
reporter	This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/120012
title	SUSE SLES12 Security Update : nodejs4 (SUSE-SU-2018:0002-1)

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_BEA84A7AE0C911E7B4F311BAA0C2DF21.NASL
description	Node.js reports : Data Confidentiality/Integrity Vulnerability - CVE-2017-15896 Node.js was affected by OpenSSL vulnerability CVE-2017-3737 in regards to the use of SSL_read() due to TLS handshake failure. The result was that an active network attacker could send application data to Node.js using the TLS or HTTP2 modules in a way that bypassed TLS authentication and encryption. Uninitialized buffer vulnerability - CVE-2017-15897 Node.js had a bug in versions 8.X and 9.X which caused buffers to not be initialized when the encoding for the fill value did not match the encoding specified. For example,
last seen	2020-06-01
modified	2020-06-02
plugin id	105259
published	2017-12-15
reporter	This script is Copyright (C) 2017-2018 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/105259
title	FreeBSD : node.js -- Data Confidentiality/Integrity Vulnerability, December 2017 (bea84a7a-e0c9-11e7-b4f3-11baa0c2df21)

References

https://nodejs.org/en/blog/vulnerability/december-2017-security-releases/