CVE-2022-31183
fs2-io skips mTLS client verification
Description
### Impact When establishing a server-mode `TLSSocket` using `fs2-io` on Node.js, the parameter `requestCert = true` is ignored, peer certificate verification is skipped, and the connection proceeds. The vulnerability is limited to: 1. `fs2-io` running on Node.js. The JVM TLS implementation is completely independent. 2. `TLSSocket`s in server-mode. Client-mode `TLSSocket`s are implemented via a different API. 3. mTLS as enabled via `requestCert = true` in `TLSParameters`. The default setting is `false` for server-mode `TLSSocket`s. It was introduced with the initial Node.js implementation of fs2-io in v3.1.0. ### Patches A patch is released in v3.2.11. The `requestCert = true` parameter is respected and the peer certificate is verified. If verification fails, a `SSLException` is raised. ### Workarounds If using an unpatched version on Node.js, do not use a server-mode `TLSSocket` with `requestCert = true` to establish a mTLS connection. ### References - https://github.com/nodejs/node/issues/43994 - https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/ ### For more information If you have any questions or comments about this advisory: * [Open an issue.](https://github.com/typelevel/fs2/issues/new/choose) * Contact the [Typelevel Security Team](https://github.com/typelevel/.github/blob/main/SECURITY.md).
How to fix CVE-2022-31183
To remediate CVE-2022-31183, upgrade the affected package to a fixed version below.
- —upgrade to 3.2.11 or later
- —upgrade to 3.2.11 or later
- —upgrade to 3.2.11 or later
- —upgrade to 3.2.11 or later
- —upgrade to 3.2.11 or later
- —upgrade to 3.2.11 or later