Miggo Logo

CVE-2022-31183: fs2-io skips mTLS client verification

9.8

CVSS Score
3.1

Basic Information

EPSS Score
0.3459%
Published
7/29/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
co.fs2:fs2-iomaven>= 3.1.0, < 3.2.113.2.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from the Node.js server-mode TLSSocket implementation in fs2-io. The pre-patch code in TLSContextPlatform.scala created TLSSockets without:

  1. Listening for the 'secure' event to trigger verification
  2. Checking tlsSock.ssl.verifyError() for certificate validation errors
  3. Properly wiring the rejectUnauthorized logic

The commit diff shows the patch added these missing verification steps by using once("secure") and ssl.verifyError(). The vulnerable function is the server socket builder that omitted these critical security checks when requestCert=true was set, making it the root cause of improper certificate validation.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t W**n *st**lis*in* * s*rv*r-mo** `TLSSo*k*t` usin* `*s*-io` on No**.js, t** p*r*m*t*r `r*qu*st**rt = tru*` is i*nor**, p**r **rti*i**t* v*ri*i**tion is skipp**, *n* t** *onn**tion pro****s. T** vuln*r**ility is limit** to: *. `*s*-io` run

Reasoning

T** vuln*r**ility st*ms *rom t** No**.js s*rv*r-mo** TLSSo*k*t impl*m*nt*tion in *s*-io. T** pr*-p*t** *o** in TLS*ont*xtPl*t*orm.s**l* *r**t** TLSSo*k*ts wit*out: *. List*nin* *or t** 's**ur*' *v*nt to tri***r v*ri*i**tion *. ****kin* tlsSo*k.ssl.v*