Impact
When establishing a server-mode TLSSocket using fs2-io on Node.js, the parameter requestCert = true is ignored, peer certificate verification is skipped, and the connection proceeds.
The vulnerability is limited to:
fs2-io running on Node.js. The JVM TLS implementation is completely independent.TLSSockets in server-mode. Client-mode TLSSockets are implemented via a different API.- mTLS as enabled via
requestCert = true in TLSParameters. The default setting is false for server-mode TLSSockets.
It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.
Patches
A patch is released in v3.2.11. The requestCert = true parameter is respected and the peer certificate is verified. If verification fails, a SSLException is raised.
Workarounds
If using an unpatched version on Node.js, do not use a server-mode TLSSocket with requestCert = true to establish a mTLS connection.
References
For more information
If you have any questions or comments about this advisory:
Impact
When establishing a server-mode
TLSSocketusingfs2-ioon Node.js, the parameterrequestCert = trueis ignored, peer certificate verification is skipped, and the connection proceeds.The vulnerability is limited to:
fs2-iorunning on Node.js. The JVM TLS implementation is completely independent.TLSSockets in server-mode. Client-modeTLSSockets are implemented via a different API.requestCert = trueinTLSParameters. The default setting isfalsefor server-modeTLSSockets.It was introduced with the initial Node.js implementation of fs2-io in v3.1.0.
Patches
A patch is released in v3.2.11. The
requestCert = trueparameter is respected and the peer certificate is verified. If verification fails, aSSLExceptionis raised.Workarounds
If using an unpatched version on Node.js, do not use a server-mode
TLSSocketwithrequestCert = trueto establish a mTLS connection.References
For more information
If you have any questions or comments about this advisory: