CVE-2015-7384 Denial of Service Vulnerability #3138

Closed
rvagg opened this Issue Sep 30, 2015 · 1 comment

Comments

Projects
None yet
1 participant
@rvagg
Member

rvagg commented Sep 30, 2015

Originally posted @ https://groups.google.com/forum/#!topic/nodejs-sec/fSNEQiuof6I

Description and CVSS Score

A bug exists in Node.js versions 4.0.0 to 4.1.1 whereby an external attacker can cause a denial of service. The severity of this issue is high (see CVSS scoring below) and users of the affected versions should plan to upgrade when a fix is made available.

  • Versions 0.10 and 0.12 of Node.js are _not affected_.
  • Versions 4.0.0, 4.1.0 and 4.1.1 of Node.js are _vulnerable_.
  • Versions 1 and 2 of io.js are _not affected_ but remain unsupported and users of these versions are encouraged to migrate to Node.js v4 at their earliest convenience.
  • Version 3 of io.js is _vulnerable_ and while io.js v3 is unsupported, a patch release with a fix will be made available some time next week. Users of io.js v3 are encouraged to migrate to Node.js v4 as a matter of priority.

Full details of this vulnerability are embargoed until a new v4.x release is made available on Monday the 5th of October 2015, UTC.

Common Vulnerability Scoring System (CVSS) v3 Base Score:

Metric Score
Base Score: 5.9 (Medium)
Base Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector: Network (AV:N)
Attack Complexity: Medium (AC:H)
Privileges Required: None (PR:N)
User Interaction: None (UI:N)
Scope of Impact: Unchanged (S:U)
Confidentiality Impact: None (C:N)
Integrity Impact: None (I:N)
Availability Impact: High (A:H)

Complete CVSS v3 Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H/E:F/RL:O/RC:C/CR:L/IR:L/AR:M/MAV:N/MAC:H/MPR:N/MUI:N/MS:U/MC:N/MI:N/MA:H. Refer to the CVSS v3 Specification for details on the meanings and application of the vector components.

CVE-2015-7384 is listed on the MITRE CVE dictionary and NIST NVD.

Action and updates

A new v4.x release on Monday the 5th of October 2015 will be made available with appropriate fixes for this vulnerability along with disclosure of the details of the bug to allow for complete impact assessment by users.

A new io.js v3.x release will be made on or after Monday the 5th of October 2015 for users having trouble migrating to Node.js v4, however this release does not indicate continued official support of io.js release lines.

Contact and future updates

Please contact security@nodejs.org if you wish to report a vulnerability in Node.js.

Please subscribe to the low-volume announcement-only nodejs-sec mailing list at https://groups.google.com/forum/#!forum/nodejs-sec to stay up to date with security vulnerabilities in Node.js and the projects maintained in the nodejs GitHub organisation.

@nodejs nodejs locked and limited conversation to collaborators Sep 30, 2015

@rvagg

This comment has been minimized.

Show comment
Hide comment
@rvagg

rvagg Oct 5, 2015

Member

v4.1.2 has been released @ https://nodejs.org/download/release/latest/, please update now if you're using v4.x or io.js v3.x in production.

The fix is in core, on v4.x and in master and has multiple parts although it's primarily concerned with HTTP pipelining. #2639 is an example of the crash that can occur and this is caused by out-of-order responses being sent to the client within a single pipelined connection.

Please note that it is likely that this problem exists even behind a TLS terminator and/or load-balancer.

Member

rvagg commented Oct 5, 2015

v4.1.2 has been released @ https://nodejs.org/download/release/latest/, please update now if you're using v4.x or io.js v3.x in production.

The fix is in core, on v4.x and in master and has multiple parts although it's primarily concerned with HTTP pipelining. #2639 is an example of the crash that can occur and this is caused by out-of-order responses being sent to the client within a single pipelined connection.

Please note that it is likely that this problem exists even behind a TLS terminator and/or load-balancer.

@rvagg rvagg closed this Oct 5, 2015

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.