Node.js Security Release Summary - February 2019
Today, there was a security release for all active Node.js release lines. At time of publishing, three vulnerabilities have been patched in the Node.js 6, Node.js 8, Node.js 10, and Node.js 11 release lines. The highest level severity in this release is MODERATE.
The patched Node.js versions are:
- Node.js 11.10.1 (Current)
- Node.js 10.15.2 (LTS "Dubnium")
- Node.js 8.15.1 (LTS "Carbon")
- Node.js 6.17.0 (LTS "Boron")
To understand the full impact of patched vulnerabilities and the urgency of the upgrades for your deployment, please see below.
Thank you to the following people, who helped to identify and resolve the security issues that were patched in these releases:
Node.js Security Impact Assessment
CVE-2019-5737: Slowloris HTTP Denial of Service with keep-alive
Impact Level: Low
This vulnerability is related to CVE-2018-12121, which was addressed in the November 2018 security release
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.17.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.15.1.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.15.2.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.10.1.
CVE-2019-5739: Denial of Service with keep-alive HTTP connections
Only Node.js versions 6.16.0 and earlier are affected by this issue, as these versions allow both HTTP and HTTPS connections to remain open (but inactive) for up to 2 minutes.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.17.0.
- The Node.js 8 Carbon LTS release line is NOT affected.
- The Node.js 10 Dubnium LTS release line is NOT affected.
- The Node.js 11 release line is NOT affected.
CVE-2019-1559: 0-byte record padding oracle
Impact Level: Moderate
Only some TLS connections are subject to this vulnerability, depending on some additional execution conditions and the ciphersuite being used. For more information, please see this write-up.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.17.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.15.1.
- The Node.js 10 Dubnium LTS release line is NOT affected.
- The Node.js 11 release line is NOT affected.
N|Solid 3.4.6 Update
We've shipped N|Solid 3.4.6, which includes these security updates. If you're using N|Solid in development or production, we highly reccoment you update as soon as humanly possible.
If you need assistance upgrading your N|Solid deployments, we're here to help 🤗
Stay Secure with Node.js
Node.js is a highly reliable and actively maintained platform. That said, the code you rely on isn’t always part of Node.js. If you’re deploying Node.js applications to production, you should be actively monitoring the code you’re deploying for performance degradation and vulnerabilities introduced by third-party code.
NodeSource can help you monitor your production code for issues in real-time with N|Solid. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that you'll have someone on your side when you need help.