Node.js Security Release Summary - November 2017
At NodeSource, we truly care about secure, reliable, and connected Node.js, and we want to ensure that you're informed about the security and stability of the Node.js platform.
Today, there was a security release for all active Node.js release lines. At time of publishing, the security vulnerability has been patched in semver minor releases of the Node.js 4.x, 6.x, 8.x, and 9.x release lines. The patched versions are:
To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.
Node.js Security Impact Assessment
CVE-2017-3736: OOB read parsing IPAdressFamily in an X.509 certificate
- Impact Level: Low
- Affected Node.js Versions: All active Node.js release lines (4.x, 6.x, 8.x, 9.x)
CVE-2017-3735 fixes buffer over-read in parsing X.509 certificates using extensions defined in RFC 3779.
Node.js disables RFC 3779 support by defining OPENSSL_NO_RFC3779 during compile. It is therefore HIGHLY UNLIKELY that a Node.js deployment would be impacted - in any way - by this vulnerability.
VERSIONS OF NODE.JS AFFECTED BY CVE-2017-3735
- The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.6
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.12.0
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.9.1
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.1.0
CVE-2017-3736: OOB read parsing IPAdressFamily in an X.509 certificate
- Impact Level: Low
- Affected Node.js Versions: All active Node.js release lines (4.x, 6.x, 8.x, 9.x)
CVE-2017-3736 fixes a carry propagating bug in the x86_64 Montgomery squaring procedure in OpenSSL before 1.0.2m and 1.1.0 before 1.1.0g. No EC algorithms are affected.
Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely. Attacks against DH are considered just feasible (although very difficult) because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be very significant and likely only accessible to a limited number of attackers. An attacker would additionally need online access to an unpatched system using the target private key in a scenario with persistent DH parameters and a private key that is shared between multiple clients. This only affects processors that support the BMI1, BMI2 and ADX extensions like Intel Broadwell (5th generation) and later or AMD Ryzen.
Source: CVE-2017-3736
CVE-2017-3736 impacts all active release lines of Node.js, but because of the EXTREMELY LOW likelihood of successful attack exploiting the flaw it has been deemed to be non-critical.
VERSIONS OF NODE.JS AFFECTED BY CVE-2017-3736
- The Node.js 4 Argon LTS release line is affected. Please upgrade to Node.js 4.8.6
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.12.0
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.9.1
- The Node.js 9 release line is affected. Please upgrade to Node.js 9.1.0
N|Solid Security Update - v2.4.1
We've updated N|Solid to version 2.4.1, which is now available. The release includes updated core Node.js versions for both the Argon, Boron, and Carbon release lines, which all includes the OpenSLL patch. You can download the updated version N|Solid now.
Stay Secure with Node.js
For businesses and teams that need to take risk out of their reliance on third-party Node.js modules, NodeSource introduced NodeSource Certified Modules which offers security, reliability, and support for modules that power mission-critical business applications. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.