The NodeSource Blog

Node.js Security Release Summary - February 2017

On January 27th, Rod Vagg announced expected updates to all active release lines - Node.js 4, 6, and 7. The releases were to include OpenSSL 1.0.2k, which was recently released by the OpenSSL project to address a security issue.

The OpenSSL team has noted that the severity of the vulnerability that was patched were of moderate severity, but the Node.js crypto team (Ben Noordhuis, Shigeki Ohtsu, and Fedor Indutny) has assessed the impact of the vulnerability on Node.js to be of low severity.

On Feburary 1st, Node.js has released 4.7.3 "Argon" (LTS) and 6.9.5 "Boron" (LTS), and 7.5.0 (Current), with the updated OpenSSL version.

To understand the full impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, you can find details of the releases below. NodeSource truly cares about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Node.js Security Impact Assessment

CVE-2017-3731: Truncated packet could crash via OOB read

This is a flaw of moderate severity in OpenSSL. By default, all current release lines of Node.js disable RC4, meaning the majority of users are not affected. As RC4 can be enabled programmatically, it's a possibility for a Node.js developer to create code that could be vulnerable to this issue. Developers who have enabled RC4 should prioritize updating to the lastest version of the release line they are currently using.

Affected versions of Node.js:

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.7.3.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.9.5.
  • The Node.js 7 Current release line is affected. Please upgrade to Node.js 7.5.0.

CVE-2017-3730: Bad DHE and ECDHE parameters cause a client crash

Because this flaw only impacts OpenSSL 1.1.0, and no active Node.js release line currently bundles this version of OpenSSL, all Node.js release lines are not affected by this issue.

CVE-2017-3732: BN_mod_exp may produce incorrect results on x86_64

As noted by the OpenSSL team, there's a low liklihood of being able to create an attack that would be able to perform effectively using this vulnerability. Additionally, Node.js enables SSL_OP_SINGLE_DH_USE, making the chance of successfully exploiting this vulnerability inside a Node.js system even less likely.

Affected versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.7.3.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.9.5.
  • The Node.js 7 Current release line is affected. Please upgrade to Node.js 7.5.0.

CVE-2016-7055: Montgomery multiplication may produce incorrect results

Some calculations, when run on an Intel Broadwell or later CPU, can produce in erroneous results. The Node.js team has previously discussed this issue on GitHub in November, and it was resolved with this release of OpenSSL. Outside of extremely specific circumstances, it's not believed to be practical to form an attack based on this vulnerability. As such, the Node.js team has classified this as a low severity flaw.

Affected versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.7.3.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.9.5.
  • The Node.js 7 Current release line is affected. Please upgrade to Node.js 7.5.0.

N|Solid Security Update - 2.1.2

We've updated N|Solid to version 2.1.2, which is now available. The release includes updated core Node.js versions for both the Argon and Boron release lines, which includes the OpenSSL update to 1.0.2k. You can now download the updated N|Solid now.

Stay Secure with Node.js

For businesses and teams that want to take risk out of their reliance on third-party Node modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer a full line of Node.js support options as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.