CVE-2022-31183

描述

### Impact When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in v3.1.0. ### Patches A patch is released in v3.2.11. The `requestCert = true` parameter is respected and the peer certificate is verified. If verification fails, a `SSLException` is raised. ### Workarounds If using an unpatched version on Node.js, do not use a server-mode `TLSSocket` with `requestCert = true` to establish a mTLS connection. ### References - https://github.com/nodejs/node/issues/43994 - https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ ### For more information If you have any questions or comments about this advisory: * [Open an issue.](https://github.com/typelevel/fs2/issues/new/choose) * Contact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).

如何修補 CVE-2022-31183

要修補 CVE-2022-31183,請將受影響套件升級到下列已修補版本。

• —升級至 3.2.11 或更新版本
• —升級至 3.2.11 或更新版本
• —升級至 3.2.11 或更新版本
• —升級至 3.2.11 或更新版本
• —升級至 3.2.11 或更新版本
• —升級至 3.2.11 或更新版本

CVE-2022-31183 正在被利用嗎?