The NodeSource Blog

Node.js Security Release Summary - December 2017

Today, there was a security release for all active Node.js release lines. At time of publishing, the security vulnerability has been patched in semver minor releases of the Node.js 4.x, 6.x, 8.x, and 9.x release lines. The patched versions are:

  • Node.js 4.8.7
  • Node.js 6.12.2
  • Node.js 8.9.3
  • Node.js 9.2.1

The CVE-2017-15896 for OpenSSL and Node.js was actually surfaced from collaboration between the Node.js project, David Benjamin from the BoringSSL project at Google, and Matt Caswell of the OpenSSL project. This update marks an interesting turn of events where the Node.js project is actively communicating and collaborating with the OpenSSL project to co-ordinate vulnerabilities and releases.

To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.

Node.js Security Impact Assessment

CVE-2017-15896: Data Confidentiality/Integrity Vulnerability

  • Impact Level: Moderate/High
  • Affected Node.js Versions: Node.js =< 4.8.6 Node.js =< v6.12.4, Node.js =< v8.9.2, Node.js =< 9.2.1

As an effect of CVE-2017-3737 in OpenSSL, Node.js was vulnerable to an attacker sending data directly to a Node.js application using the core TLS or HTTP/2 modules. This vulnerability did not affect the standard HTTP module or the HTTPS module, but did affect TLS all active Node.js release lines and in HTTP/2 in the Node.js 8.x and 9.x release lines.

There is not currently a known exploit for this vulnerability, including by the Node.js team members that attempted to find one while resolving the issue in Node.js core.

This vulnerability has been patched in conjunction with another CVE (CVE-2017-3738) in OpenSSL of low impact to Node.js.

Affected Node.js Release Lines

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.7.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.12.5.
  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.9.3.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.2.1.

CVE-2017-15897: Uninitialized buffer vulnerability

  • Impact Level: High
  • Affected Node.js Versions: Node.js < v8.9.2, Node.js < 9.2.1.

A bug in the 8.x and 9.x release lines of Node.js could trigger safely allocated buffers using the .alloc() (also known as zero-fill-buffers) to not actually zero fill when the fill values did not precisely match the buffer’s specified encoding.

Affected Node.js Release Lines

  • The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.9.3.
  • The Node.js 9 release line is affected. Please upgrade to Node.js 9.2.1.

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for modules that power mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.