CVE-2022-31183 – co.fs2:fs2-io

Package

Manager: maven
Name: co.fs2:fs2-io
Vulnerable Version: >=3.1.0 <3.2.11

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

EPSS: 0.002 pctl0.42284

Details

fs2-io skips mTLS client verification ### Impact When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in v3.1.0. ### Patches A patch is released in v3.2.11. The `requestCert = true` parameter is respected and the peer certificate is verified. If verification fails, a `SSLException` is raised. ### Workarounds If using an unpatched version on Node.js, do not use a server-mode `TLSSocket` with `requestCert = true` to establish a mTLS connection. ### References - https://github.com/nodejs/node/issues/43994 - https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ ### For more information If you have any questions or comments about this advisory: * [Open an issue.](https://github.com/typelevel/fs2/issues/new/choose) * Contact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).

Metadata

Created: 2022-07-29T22:24:10Z
Modified: 2022-08-11T17:05:49Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/07/GHSA-2cpx-6pqp-wf35/GHSA-2cpx-6pqp-wf35.json
CWE IDs: ["CWE-295"]
Alternative ID: GHSA-2cpx-6pqp-wf35
Finding: F163
Auto approve: 1