CVE-2022-0084 XNIO had a bug where the notifyReadClosed method logged to the wrong end.

The issue can be mitigated by avoiding logging absolutely anything to the log.
Red Hat has provided a workaround, which can be applied by setting the config.PUT_DEBUG in the Red Hat Node.js configuration to false. A bug was found in Node.js' XNIO networking library, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up.

CVE-2022-0085

This issue was found to be a race condition in the server.
The issue can be mitigated by tightening the security of the code.
In addition, we have verified that this vulnerability has been patched on our upstream Node.js repository and also on the master node of all downstream Node.js distributions.

Weak SSL Ciphers

Weak SSL ciphers are a potential security threat to your business. Weak encryption ciphers can be exploited by attackers and provide less protection than a stronger cipher. While there is no reason for you to use weak encryption ciphers, you should still be aware of the issue and understand the risks involved.

To avoid these risks, it's advisable that you change the default cipher on your server from AES-128-CBC to AES-256-CBC. This will make your connection more secure when faced with a weaker cipher. For example, if you have SSL enabled on your website and an attacker sends a request which uses an old version of TLS or an older private key format, their connection would not be encrypted at all by that particular server.

Vulnerability Scenario

An attacker could use this flaw to cause an unwanted disk fill-up.
The workaround can be applied by setting the config.PUT_DEBUG in the Red Hat Node.js configuration to false.

Overview of the Node.js Security Landscape

The Node.js project has been around for a while, but it has recently been getting more attention in the tech industry because of its growing popularity and its prevalence in the JavaScript ecosystem. The Node.js project is a platform that allows developers to write JavaScript applications that run on the server-side without having to worry about compiling their code or having to install a compiler.
There has been an uptick in security vulnerabilities discovered in Node.js recently, which includes CVE-2022-0084, a flaw found in XNIO's notifyReadClosed method. This issue was found by a Node user named Zano who submitted this issue to Red Hat's Bugzilla portal on Wednesday, June 27th, 2018.

Timeline

Published on: 08/26/2022 18:15:00 UTC
Last modified on: 09/01/2022 15:34:00 UTC

References

• https://github.com/xnio/xnio/pull/291
• https://bugzilla.redhat.com/show_bug.cgi?id=2064226
• https://github.com/xnio/xnio/commit/fdefb3b8b715d33387cadc4d48991fb1989b0c12
• https://access.redhat.com/security/cve/CVE-2022-0084
• https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-0084