製品・ソフトウェアに関する情報

JVN脆弱性詳細

Node.js の tls.checkServerIdentity 関数におけるサーバになりすまされる脆弱性

Title	Node.js の tls.checkServerIdentity 関数におけるサーバになりすまされる脆弱性
Summary	Node.js の tls.checkServerIdentity 関数は、X.509 証明書の名前フィールド内のワイルドカードを適切に処理しないため、サーバになりすまされる脆弱性が存在します。補足情報 : CWE による脆弱性タイプは、CWE-19: Data Handling (データ処理) と識別されています。 http://cwe.mitre.org/data/definitions/19.html
Possible impacts	中間者攻撃 (man-in-the-middle attack) により、巧妙に細工された証明書を介して、サーバになりすまされる可能性があります。
Solution	ベンダより正式な対策が公開されています。ベンダ情報を参照して適切な対策を実施してください。
Publication Date	Sept. 23, 2016, midnight
Registration Date	Oct. 13, 2016, 2:06 p.m.
Last Update	Oct. 13, 2016, 2:06 p.m.

CVSS3.0 : 警告
Score	5.9
Vector	CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CVSS2.0 : 警告
Score	4.3
Vector	AV:N/AC:M/Au:N/C:N/I:P/A:N

Affected System

SUSE

SUSE Linux Enterprise Module for Web Scripting 12

Node.js Foundation

Node.js 0.10.47 (Maintenance) 未満の 0.10.x

Node.js 0.12.16 (Maintenance) 未満の 0.12.x

Node.js 4.6.0 (LTS "Argon") 未満の 4.x

Node.js 6.7.0 (Current) 未満の 6.x

CVE (情報セキュリティ共通脆弱性識別子)

No	Name	URL
Common Vulnerabilities and Exposures (CVE)
1	CVE-2016-7099	http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7099
National Vulnerability Database (NVD)
2	CVE-2016-7099	http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-7099

CWE (共通脆弱性タイプ一覧)

No	Name	URL
JVNDB
1	CWE-Other	https://www.ipa.go.jp/security/vuln/CWE.html#CWEOther

ベンダー情報

No	Name	URL
GitHub
1	lib: make tls.checkServerIdentity() more strict	https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b
Node.js Foundation
2	Security updates for all active release lines, September 2016	https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/
opensuse-security-announce
3	SUSE-SU-2016:2470	https://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html

Change Log

No	Changed Details	Date of change
0	[2016年10月13日] 掲載	Feb. 17, 2018, 10:37 a.m.

NVD Vulnerability Information

CVE-2016-7099

Summary	The tls.checkServerIdentity function in Node.js 0.10.x before 0.10.47, 0.12.x before 0.12.16, 4.x before 4.6.0, and 6.x before 6.7.0 does not properly handle wildcards in name fields of X.509 certificates, which allows man-in-the-middle attackers to spoof servers via a crafted certificate.
Publication Date	Oct. 11, 2016, 1:59 a.m.
Registration Date	Jan. 26, 2021, 2:16 p.m.
Last Update	Nov. 21, 2024, 11:57 a.m.

Affected software configurations

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:0.10.9:::::::*
cpe:2.3:a:nodejs:node.js:0.10.11:::::::*
cpe:2.3:a:nodejs:node.js:0.10.21:::::::*
cpe:2.3:a:nodejs:node.js:0.10.4:::::::*
cpe:2.3:a:nodejs:node.js:0.10.41:::::::*
cpe:2.3:a:nodejs:node.js:0.10.20:::::::*
cpe:2.3:a:nodejs:node.js:0.10.18:::::::*
cpe:2.3:a:nodejs:node.js:0.10.39:::::::*
cpe:2.3:a:nodejs:node.js:0.10.29:::::::*
cpe:2.3:a:nodejs:node.js:0.10.31:::::::*
cpe:2.3:a:nodejs:node.js:0.10.2:::::::*
cpe:2.3:a:nodejs:node.js:0.10.46:::::::*
cpe:2.3:a:nodejs:node.js:0.10.43:::::::*
cpe:2.3:a:nodejs:node.js:0.10.30:::::::*
cpe:2.3:a:nodejs:node.js:0.10.25:::::::*
cpe:2.3:a:nodejs:node.js:0.10.14:::::::*
cpe:2.3:a:nodejs:node.js:0.10.24:::::::*
cpe:2.3:a:nodejs:node.js:0.10.36:::::::*
cpe:2.3:a:nodejs:node.js:0.10.5:::::::*
cpe:2.3:a:nodejs:node.js:0.10.15:::::::*
cpe:2.3:a:nodejs:node.js:0.10.32:::::::*
cpe:2.3:a:nodejs:node.js:0.10.35:::::::*
cpe:2.3:a:nodejs:node.js:0.10.40:::::::*
cpe:2.3:a:nodejs:node.js:0.10.16:::::::*
cpe:2.3:a:nodejs:node.js:0.10.38:::::::*
cpe:2.3:a:nodejs:node.js:0.10.19:::::::*
cpe:2.3:a:nodejs:node.js:0.10.27:::::::*
cpe:2.3:a:nodejs:node.js:0.10.7:::::::*
cpe:2.3:a:nodejs:node.js:0.10.10:::::::*
cpe:2.3:a:nodejs:node.js:0.10.26:::::::*
cpe:2.3:a:nodejs:node.js:0.10.17:::::::*
cpe:2.3:a:nodejs:node.js:0.10.13:::::::*
cpe:2.3:a:nodejs:node.js:0.10.45:::::::*
cpe:2.3:a:nodejs:node.js:0.10.6:::::::*
cpe:2.3:a:nodejs:node.js:0.10.8:::::::*
cpe:2.3:a:nodejs:node.js:0.10.42:::::::*
cpe:2.3:a:nodejs:node.js:0.10.37:::::::*
cpe:2.3:a:nodejs:node.js:0.10.44:::::::*
cpe:2.3:a:nodejs:node.js:0.10.12:::::::*
cpe:2.3:a:nodejs:node.js:0.10.28:::::::*
cpe:2.3:a:nodejs:node.js:0.10.34:::::::*
cpe:2.3:a:nodejs:node.js:0.10.1:::::::*
cpe:2.3:a:nodejs:node.js:0.10.33:::::::*
cpe:2.3:a:nodejs:node.js:0.10.3:::::::*
cpe:2.3:a:nodejs:node.js:0.10.22:::::::*
cpe:2.3:a:nodejs:node.js:0.10.0:::::::*
cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:::::::*
cpe:2.3:a:nodejs:node.js:0.10.23:::::::*

Configuration2		or higher	or less	more than	less than
cpe:2.3:o:suse:linux_enterprise:12.0:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:6.0.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.0:::::::*
cpe:2.3:a:nodejs:node.js:6.3.0:::::::*
cpe:2.3:a:nodejs:node.js:6.4.0:::::::*
cpe:2.3:a:nodejs:node.js:6.1.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.2:::::::*
cpe:2.3:a:nodejs:node.js:6.3.1:::::::*
cpe:2.3:a:nodejs:node.js:6.6.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.1:::::::*
cpe:2.3:a:nodejs:node.js:6.5.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:0.12.15:::::::*
cpe:2.3:a:nodejs:node.js:0.12.4:::::::*
cpe:2.3:a:nodejs:node.js:0.12.7:::::::*
cpe:2.3:a:nodejs:node.js:0.12.13:::::::*
cpe:2.3:a:nodejs:node.js:0.12.1:::::::*
cpe:2.3:a:nodejs:node.js:0.12.14:::::::*
cpe:2.3:a:nodejs:node.js:0.12.2:::::::*
cpe:2.3:a:nodejs:node.js:0.12.12:::::::*
cpe:2.3:a:nodejs:node.js:0.12.5:::::::*
cpe:2.3:a:nodejs:node.js:0.12.8:::::::*
cpe:2.3:a:nodejs:node.js:0.12.10:::::::*
cpe:2.3:a:nodejs:node.js:0.12.9:::::::*
cpe:2.3:a:nodejs:node.js:0.12.6:::::::*
cpe:2.3:a:nodejs:node.js:0.12.3:::::::*
cpe:2.3:a:nodejs:node.js:0.12.11:::::::*
cpe:2.3:a:nodejs:node.js:0.12.0:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:4.3.0:::::::*
cpe:2.3:a:nodejs:node.js:4.0.0:::::::*
cpe:2.3:a:nodejs:node.js:4.5.0:::::::*
cpe:2.3:a:nodejs:node.js:4.3.2:::::::*
cpe:2.3:a:nodejs:node.js:4.4.4:::::::*
cpe:2.3:a:nodejs:node.js:4.3.1:::::::*
cpe:2.3:a:nodejs:node.js:4.4.2:::::::*
cpe:2.3:a:nodejs:node.js:4.1.1:::::::*
cpe:2.3:a:nodejs:node.js:4.2.3:::::::*
cpe:2.3:a:nodejs:node.js:4.4.7:::::::*
cpe:2.3:a:nodejs:node.js:4.2.4:::::::*
cpe:2.3:a:nodejs:node.js:4.2.5:::::::*
cpe:2.3:a:nodejs:node.js:4.1.2:::::::*
cpe:2.3:a:nodejs:node.js:4.2.1:::::::*
cpe:2.3:a:nodejs:node.js:4.4.5:::::::*
cpe:2.3:a:nodejs:node.js:4.4.3:::::::*
cpe:2.3:a:nodejs:node.js:4.2.6:::::::*
cpe:2.3:a:nodejs:node.js:4.4.6:::::::*
cpe:2.3:a:nodejs:node.js:4.4.0:::::::*
cpe:2.3:a:nodejs:node.js:4.2.2:::::::*
cpe:2.3:a:nodejs:node.js:4.1.0:::::::*
cpe:2.3:a:nodejs:node.js:4.4.1:::::::*
cpe:2.3:a:nodejs:node.js:4.2.0:::::::*

Related information, measures and tools

No	URL	タグ
1	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html	Third Party Advisory
2	http://lists.opensuse.org/opensuse-security-announce/2016-10/msg00013.html	Third Party Advisory
3	http://rhn.redhat.com/errata/RHSA-2017-0002.html
4	http://rhn.redhat.com/errata/RHSA-2017-0002.html
5	http://www.securityfocus.com/bid/93191	Third Party Advisory VDB Entry
6	http://www.securityfocus.com/bid/93191	Third Party Advisory VDB Entry
7	https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b	Issue Tracking Patch
8	https://github.com/nodejs/node/commit/743f0c916469f3129dfae406fa104dc46782e20b	Issue Tracking Patch
9	https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/	Patch Vendor Advisory
10	https://nodejs.org/en/blog/vulnerability/september-2016-security-releases/	Patch Vendor Advisory

Common Vulnerabilities List

Configuration1	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:0.10.9:::::::*
cpe:2.3:a:nodejs:node.js:0.10.11:::::::*
cpe:2.3:a:nodejs:node.js:0.10.21:::::::*
cpe:2.3:a:nodejs:node.js:0.10.4:::::::*
cpe:2.3:a:nodejs:node.js:0.10.41:::::::*
cpe:2.3:a:nodejs:node.js:0.10.20:::::::*
cpe:2.3:a:nodejs:node.js:0.10.18:::::::*
cpe:2.3:a:nodejs:node.js:0.10.39:::::::*
cpe:2.3:a:nodejs:node.js:0.10.29:::::::*
cpe:2.3:a:nodejs:node.js:0.10.31:::::::*
cpe:2.3:a:nodejs:node.js:0.10.2:::::::*
cpe:2.3:a:nodejs:node.js:0.10.46:::::::*
cpe:2.3:a:nodejs:node.js:0.10.43:::::::*
cpe:2.3:a:nodejs:node.js:0.10.30:::::::*
cpe:2.3:a:nodejs:node.js:0.10.25:::::::*
cpe:2.3:a:nodejs:node.js:0.10.14:::::::*
cpe:2.3:a:nodejs:node.js:0.10.24:::::::*
cpe:2.3:a:nodejs:node.js:0.10.36:::::::*
cpe:2.3:a:nodejs:node.js:0.10.5:::::::*
cpe:2.3:a:nodejs:node.js:0.10.15:::::::*
cpe:2.3:a:nodejs:node.js:0.10.32:::::::*
cpe:2.3:a:nodejs:node.js:0.10.35:::::::*
cpe:2.3:a:nodejs:node.js:0.10.40:::::::*
cpe:2.3:a:nodejs:node.js:0.10.16:::::::*
cpe:2.3:a:nodejs:node.js:0.10.38:::::::*
cpe:2.3:a:nodejs:node.js:0.10.19:::::::*
cpe:2.3:a:nodejs:node.js:0.10.27:::::::*
cpe:2.3:a:nodejs:node.js:0.10.7:::::::*
cpe:2.3:a:nodejs:node.js:0.10.10:::::::*
cpe:2.3:a:nodejs:node.js:0.10.26:::::::*
cpe:2.3:a:nodejs:node.js:0.10.17:::::::*
cpe:2.3:a:nodejs:node.js:0.10.13:::::::*
cpe:2.3:a:nodejs:node.js:0.10.45:::::::*
cpe:2.3:a:nodejs:node.js:0.10.6:::::::*
cpe:2.3:a:nodejs:node.js:0.10.8:::::::*
cpe:2.3:a:nodejs:node.js:0.10.42:::::::*
cpe:2.3:a:nodejs:node.js:0.10.37:::::::*
cpe:2.3:a:nodejs:node.js:0.10.44:::::::*
cpe:2.3:a:nodejs:node.js:0.10.12:::::::*
cpe:2.3:a:nodejs:node.js:0.10.28:::::::*
cpe:2.3:a:nodejs:node.js:0.10.34:::::::*
cpe:2.3:a:nodejs:node.js:0.10.1:::::::*
cpe:2.3:a:nodejs:node.js:0.10.33:::::::*
cpe:2.3:a:nodejs:node.js:0.10.3:::::::*
cpe:2.3:a:nodejs:node.js:0.10.22:::::::*
cpe:2.3:a:nodejs:node.js:0.10.0:::::::*
cpe:2.3:a:nodejs:node.js:0.10.16-isaacs-manual:::::::*
cpe:2.3:a:nodejs:node.js:0.10.23:::::::*

Configuration3	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:6.0.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.0:::::::*
cpe:2.3:a:nodejs:node.js:6.3.0:::::::*
cpe:2.3:a:nodejs:node.js:6.4.0:::::::*
cpe:2.3:a:nodejs:node.js:6.1.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.2:::::::*
cpe:2.3:a:nodejs:node.js:6.3.1:::::::*
cpe:2.3:a:nodejs:node.js:6.6.0:::::::*
cpe:2.3:a:nodejs:node.js:6.2.1:::::::*
cpe:2.3:a:nodejs:node.js:6.5.0:::::::*

Configuration4	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:0.12.15:::::::*
cpe:2.3:a:nodejs:node.js:0.12.4:::::::*
cpe:2.3:a:nodejs:node.js:0.12.7:::::::*
cpe:2.3:a:nodejs:node.js:0.12.13:::::::*
cpe:2.3:a:nodejs:node.js:0.12.1:::::::*
cpe:2.3:a:nodejs:node.js:0.12.14:::::::*
cpe:2.3:a:nodejs:node.js:0.12.2:::::::*
cpe:2.3:a:nodejs:node.js:0.12.12:::::::*
cpe:2.3:a:nodejs:node.js:0.12.5:::::::*
cpe:2.3:a:nodejs:node.js:0.12.8:::::::*
cpe:2.3:a:nodejs:node.js:0.12.10:::::::*
cpe:2.3:a:nodejs:node.js:0.12.9:::::::*
cpe:2.3:a:nodejs:node.js:0.12.6:::::::*
cpe:2.3:a:nodejs:node.js:0.12.3:::::::*
cpe:2.3:a:nodejs:node.js:0.12.11:::::::*
cpe:2.3:a:nodejs:node.js:0.12.0:::::::*

Configuration5	or higher	or less	more than	less than
cpe:2.3:a:nodejs:node.js:4.3.0:::::::*
cpe:2.3:a:nodejs:node.js:4.0.0:::::::*
cpe:2.3:a:nodejs:node.js:4.5.0:::::::*
cpe:2.3:a:nodejs:node.js:4.3.2:::::::*
cpe:2.3:a:nodejs:node.js:4.4.4:::::::*
cpe:2.3:a:nodejs:node.js:4.3.1:::::::*
cpe:2.3:a:nodejs:node.js:4.4.2:::::::*
cpe:2.3:a:nodejs:node.js:4.1.1:::::::*
cpe:2.3:a:nodejs:node.js:4.2.3:::::::*
cpe:2.3:a:nodejs:node.js:4.4.7:::::::*
cpe:2.3:a:nodejs:node.js:4.2.4:::::::*
cpe:2.3:a:nodejs:node.js:4.2.5:::::::*
cpe:2.3:a:nodejs:node.js:4.1.2:::::::*
cpe:2.3:a:nodejs:node.js:4.2.1:::::::*
cpe:2.3:a:nodejs:node.js:4.4.5:::::::*
cpe:2.3:a:nodejs:node.js:4.4.3:::::::*
cpe:2.3:a:nodejs:node.js:4.2.6:::::::*
cpe:2.3:a:nodejs:node.js:4.4.6:::::::*
cpe:2.3:a:nodejs:node.js:4.4.0:::::::*
cpe:2.3:a:nodejs:node.js:4.2.2:::::::*
cpe:2.3:a:nodejs:node.js:4.1.0:::::::*
cpe:2.3:a:nodejs:node.js:4.4.1:::::::*
cpe:2.3:a:nodejs:node.js:4.2.0:::::::*