Node.js Security Release Summary - June 2018
Last night, there was a security release for all active Node.js release lines. At time of publishing, five unique DOS vulnerabilities have been patched in the Node.js 6, 8, 9, and 10 release lines. The patched versions are:
The patched vulnerabilies include Denial of Service vectors in the HTTP/2 module, the nghttp2 dependency, TLS, reading certain properties from a stream, and some uses of Buffer.fill() and Buffer.alloc().
The highest level of severity included in these updates is HIGH. You should upgrade your Node.js deployments to the latest versions as soon as humanly possible.
To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.
Node.js Security Impact Assessment
CVE-2018-7161: HTTP/2 Module Denial of Service
- Impact Level: High
This denial of service issue can be triggered when attackers can interact with a Node.js web server using the HTTP/2 module, triggering a cleanup bug where native code uses objects once they’re no longer available. The HTTP/2 module has been patched to resolve this issue.
Affected Node.js Release Lines
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.3.
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.11.2.
- The Node.js 10 release line is affected. Please upgrade to Node.js 10.4.1.
CVE-2018-1000168: nghttp2 Denial of Service
- Impact Level: High
A security issue in the underlying core dependency nghttp2’s that is caused by a null pointer reference by sending a frame larger than 16384 bytes, triggering a segmentation fault. The underlying dependency has shipped a patch and has been updated in Node.js core.
Affected Node.js Release Lines
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.11.2.
- The Node.js 10 release line is affected. Please upgrade to Node.js 10.4.1.
CVE-2018-7162: TLS Denial of Service
- Impact Level: High
Attackers could cause Node.js processes that have an HTTP server that supports TLS to crash by sending duplicate or unexpected messages during the TLS handshake. The issue in the underlying TLS implementation in Node.js has been resolved.
Affected Node.js Release Lines
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.11.2.
- The Node.js 10 release line is affected. Please upgrade to Node.js 10.4.1.
CVE-2018-7164: Memory Exhaustion Denial of Service
- Impact Level: Medium
More recent versions of Node.js (9.7.0 and greater) were exposed to a bug that increases memory usage when reading from the network into JavaScript by using net.Socket() as a stream. A Denial of Service could occur when small chunks of data were rapidly sent through the stream.
Affected Node.js Release Lines
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.11.2.
- The Node.js 10 release line is affected. Please upgrade to Node.js 10.4.1.
CVE-2018-7167: Buffer.fill() and Buffer.alloc() Denial of Service
- Impact Level: LOW
Certain usage of Buffer.fill() and Buffer.alloc() could cause the Node.js process to hang. To resolve this, both implementations have been patched to zero fill instead of hanging in the cases that triggered the Denial of Service.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.14.3.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.11.3.
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.11.2.
Node.js Patched in the N|Solid 3.2.1 Release
The above fixes have been shipped in the N|Solid Runtime with the release of N|Solid 3.2.1, which is now available for all target platforms.
Stay Secure with Node.js
Node.js is a highly reliable and actively maintained platform. That said, the code you rely on isn’t always part of Node.js. If you’re deploying Node.js applications to production, you should be actively monitoring the code you’re deploying for performance degradation and vulnerabilities introduced by third-party code.
NodeSource can help you monitor your production code for issues in real-time with N|Solid, a Node.js runtime built to meet the needs of the enterprise. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.