Node.js Security Release Summary - July 2017 - NodeSource

The NodeSource Blog

You have reached the beginning of time!

Node.js Security Release Summary - July 2017

On July 11th, Michael Dawson announced expected updates to the Node.js 4, 6, 7 and 8 release lines. The possibility of a Denial of Service vulnerability in all release lines from 4.x to 8.x was shared at this time.

Additionally, two other security patches were included, one applicable to all Node.js releases (not just active release lines, but all versions) in a dependency of the project and another that's exclusively applicable to the Node.js 4 release line.

At the time of publishing, the security vulnerabilities have been patched and released. The patched versions for each release line are:

  • Node.js 8.1.4
  • Node.js 7.10.1
  • Node.js 6.11.1
  • Node.js 4.8.4

To understand the full impact that the fixed vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, you can find details of the releases below. At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.

Node.js Security Impact Assessment

CVE Pending: Constant Hashtable Seeds

  • Impact Level: High
  • Affected Node.js Versions: 4.x, 6.x, 7.x, 8.x

As a result of building Node.js with V8 snapshots enabled by default, initially randomized HashTable seeds were overwritten in the Node.js build process for each released version of Node.js. This minor error resulted in Node.js being susceptible to remote DNS attacks via hash flooding.

Node.js was susceptible to hash flooding remote DoS attacks as the HashTable seed was constant across a given released version of Node.js. This was a result of building with V8 snapshots enabled by default which caused the initially randomized seed to be overwritten on startup.

This vulnerability was reported by Jann Horn of Google Project Zero. 🙏

Affected versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

CVE-2017-1000381: c-ares NAPTR parser out of bounds access

  • Impact Level: Low
  • Affected Node.js Versions: 4.x, 6.x, 7.x, 8.x

A security vulnerability in c-ares, applicable to all versions of Node.js, has been discovered and disclosed in CVE-2017-1000381.

This vulnerabilitiy allowed reading memory outside a given input buffer through specifically crafted DNS response packages via parsing of NAPTR responses. The patch recommended in the CVE in all currently active Node.js release lines, in addition to Node.js 7.

Affected versions of Node.js:

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.
  • The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.11.1.
  • The Node.js 7 release line is affected. Please upgrade to Node.js 7.10.1 or move on to 8.1.4 due to Node.js 7's current EOL status.
  • The Node.js 8 release line is affected. Please upgrade to Node.js 8.1.4.

Node.js 4 Argon LTS: http.get with numeric authorization options creates uninitialized buffers

  • Impact Level: Low
  • Affected Node.js Versions: 4.x

In instances where http.get() was used in applications running on Node.js 4.x that allowed the auth field to be set with a number could result in uninitialized buffers to be created and used as the method's authentication string.

This has been patched in Node.js 4.x as of 4.8.4 - you can now expect a TypeError to be thrown if the auth field is a number when the http.get() method is called.
Parsing of the auth field has been updated in the 4.x release so that a TypeError will be thrown if the auth field is a number when http.get() is called.

Affected versions of Node.js

  • The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.4.

N|Solid Security Update - 2.2.1

We've updated N|Solid to version 2.2.1, which is now available. The release includes updated core Node.js versions for both the Argon and Boron release lines, which includes the new patches to c-ares, V8 snapshotting, and the patched http.get() method. You can now download the updated N|Solid now.

Stay Secure with Node.js

For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for the modules that they rely on to run mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as an Architecture Evaluation to make sure that when you need help with Node.js, you can have someone to call.

The NodeSource platform offers a high-definition view of the performance, security and behavior of Node.js applications and functions.

Start for Free