Node.js Security Release Summary - November 2018
Today, there was a security release for all active Node.js release lines. At time of publishing, eight vulnerabilities have been patched in the Node.js 6, Node.js 8, Node.js 10, and Node.js 11 release lines. The worst severity is HIGH.
The patched (safe) versions are:
To understand the full impact that the patched vulnerabilities have on your Node.js deployment and the urgency of the upgrades for your circumstances, see below.
Thank you to the following people, who contributed significantly to the security issues that were patched in these releases:
- Matteo Collina
- Ben Noordhuis
- Trevor Norris
- Jan Maybach
- Martin Bajanik
- Arkadiy Tetelman
- Benno Fünfstück
- The OpenSSL Team
Node.js Security Impact Assessment
CVE-2018-12120: Debugger port 5858 listens on any interface by default
- Impact Level: High
In the case of the Node.js debugger being enabled by passing the --debug or debug flags to Node.js, there is a possibility of remote computers attaching to the debug feature and executing remote JavaScript.
A change has been made to default to localhost (using localhost was always an option, but was opt-in), with the option of escalating to non-localhost still intact.
The Node.js debugger was replaced in Node.js 8 by the inspector. As such, the only supported release line affected is Node.js 6 LTS.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is NOT affected.
- The Node.js 10 Dubnium LTS release line is NOT affected.
- The Node.js 11 release line is NOT affected.
CVE-2018-12121: Denial of Service with large HTTP headers
- Impact Level: High
A Denial of Service was previously achievable by sending many requests with the maximum size HTTP header of nearly 80kb/connection in combination with carefully handled completion of those headers. The Node.js HTTP server could be forced to abort due to a heap allocation failure.
This attack has previously been able to be mitigated by the use of a load balancer, as the majority of the requests would not be hitting a single Node.js server and causing the heap allocation failure.
After this series of releases for all active release lines, total size of HTTP headers received by Node.js must not exceed 8192 bytes.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
CVE-2018-12122: "Slowloris" HTTP Denial of Service
- Impact Level: Low
Attackers can cause a Denial of Service by sending HTTP or HTTPS headers extremely slowly to keep a connection open and maintain the resource utilization over an extended period.
This attack has previously been able to be mitigated by the use of a load balancer, as most load balancers have a completeness check. This check typically means waiting for the final two carriage return and line feeds being sent by the requesting HTTP client.
A new timeout of 40 seconds has been applied to receiving HTTP headers. If needed, you can adjust this number with the newly added server.headersTimeout variable.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
CVE-2018-12123: Hostname spoofing in URL parser for javascript protocol
- Impact Level: Low
The Node.js url.parse() method was being passed a hostname, and that included a mixed case javascript protocol (for example, jAvaScRipT:), the hostname could be spoofed. This only affected the javascript:protocol.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
CVE-2018-12116: HTTP request splitting
- Impact Level: Medium
If unsanitized, user-provided Unicode is used for the path option of an HTTP request, that user-provided data can trigger an additional unexpected and user-defined HTTP request to the same server.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is NOT affected.
- The Node.js 11 release line is NOT affected.
CVE-2018-0735: Timing vulnerability in ECDSA signature generation in OpenSSL
- Impact Level: Low
The OpenSSL ECDSA signature algorithm has been shown as being vulnerable to a timing side-channel attack, in which a malicious user could use variations of the signing algorithm to recover a private key.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is NOT affected.
- The Node.js 8 Carbon LTS release line is NOT affected.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
CVE-2018-0734: Timing vulnerability in DSA signature generation in OpenSSL
- Impact Level: Low
The OpenSSL DSA signature algorithm has been shown as being vulnerable to a timing side-channel attack, in which a malicious user could use variations of the signing algorithm to recover a private key.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
CVE-2018-5407: Microarchitecture timing vulnerability in ECC scalar multiplication in OpenSSL
- Impact Level: Low
The OpenSSL ECC scalar multiplication has been shown as being vulnerable to a microarchitecture side-channel attack, in which a malicious user could with sufficient access to mount local timing attacks during ECDSA signature generation could be able to recover a private key.
Affected Node.js Release Lines
- The Node.js 6 Boron LTS release line is affected. Please upgrade to Node.js 6.15.0.
- The Node.js 8 Carbon LTS release line is affected. Please upgrade to Node.js 8.14.0.
- The Node.js 10 Dubnium LTS release line is affected. Please upgrade to Node.js 10.14.0.
- The Node.js 11 release line is affected. Please upgrade to Node.js 11.3.0.
N|Solid 3.4.2 Update
We've shipped N|Solid 3.4.2, which includes these security updates. If you're using N|Solid in development or production, we highly reccoment you update as soon as humanly possible.
If you need assistance upgrading your N|Solid deployments, we're here to help 🤗
Stay Secure with Node.js
Node.js is a highly reliable and actively maintained platform. That said, the code you rely on isn’t always part of Node.js. If you’re deploying Node.js applications to production, you should be actively monitoring the code you’re deploying for performance degradation and vulnerabilities introduced by third-party code.
NodeSource can help you monitor your production code for issues in real-time with N|Solid, a Node.js runtime built to meet the needs of the enterprise. We also offer extensive, enterprise-grade Node.js Support as well as professional services around Node.js to make sure that when you need help with Node.js, you’ll have someone on your side.