CVE-2022-41919
Denial of Service vulnerability in fastify (npm)
What is CVE-2022-41919 About?
This vulnerability in OpenSSL allows for a Denial of Service attack when processing a maliciously formatted PKCS12 file. It can lead to applications abruptly terminating due to a crash. Exploitation is relatively easy if an application processes untrusted PKCS12 files using the affected OpenSSL APIs.
Affected Software
- fastify
- >3.0.0, <3.29.4
- >4.0.0, <4.10.2
Technical Details
The vulnerability arises because OpenSSL does not correctly check for NULL fields in PKCS12 files, even though the specification allows them. This oversight can lead to a NULL pointer dereference when affected OpenSSL APIs, such as PKCS12_parse(), PKCS12_unpack_p7data(), PKCS12_unpack_p7encdata(), PKCS12_unpack_authsafes(), and PKCS12_newpass(), process a malformed PKCS12 file. When such a file from an untrusted source is processed, the NULL pointer dereference causes OpenSSL to crash, resulting in a Denial of Service for the application utilizing it. A similar issue was fixed in SMIME_write_PKCS7(), but it was deemed less security-significant due to its nature of writing data.
What is the Impact of CVE-2022-41919?
Successful exploitation may allow attackers to cause critical application services to become unavailable, leading to disruption of operations due to system crashes and unresponsiveness.
What is the Exploitability of CVE-2022-41919?
Exploitation of this vulnerability is of moderate complexity. It requires an attacker to craft a specially malformed PKCS12 file. The attacker needs to deliver this file to a target application that uses affected OpenSSL APIs and processes PKCS12 files from untrusted sources. There are no specific authentication or privilege requirements to trigger the vulnerability beyond the application's normal file processing mechanisms. It typically involves remote interaction, such as uploading or providing the malicious file. The likelihood of exploitation increases if the application frequently handles external PKCS12 files without sufficient validation.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2022-41919?
Available Upgrade Options
- fastify
- >3.0.0, <3.29.4 → Upgrade to 3.29.4
- fastify
- >4.0.0, <4.10.2 → Upgrade to 4.10.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://github.com/fastify/fastify/security/advisories/GHSA-3fjj-p79j-c9hh
- https://github.com/fastify/fastify
- https://osv.dev/vulnerability/GHSA-3fjj-p79j-c9hh
- https://nvd.nist.gov/vuln/detail/CVE-2022-41919
- https://www.npmjs.com/package/@fastify/csrf
- https://github.com/fastify/fastify/commit/62dde76f1f7aca76e38625fe8d983761f26e6fc9
What are Similar Vulnerabilities to CVE-2022-41919?
Similar Vulnerabilities: CVE-2023-3446 , CVE-2023-3447 , CVE-2023-5363 , CVE-2022-2068 , CVE-2022-1292
