ESB-2017.2725 - [Win][UNIX/Linux][FreeBSD] Node.js: Denial of service - Remote/unauthenticated 2017-10-27

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.2725
               Node.js -- remote DOS security vulnerability
                              27 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Node.js
Publisher:         FreeBSD
Operating System:  FreeBSD
                   UNIX variants (UNIX, Linux, OSX)
                   Windows
Impact/Access:     Denial of Service -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-14919  

Original Bulletin: 
   http://www.vuxml.org/freebsd/d7d1cc94-b971-11e7-af3a-f1035dd0da62.html

Comment: This advisory references vulnerabilities in products which run on 
         platforms other than FreeBSD. It is recommended that administrators
         running Node.js check for an updated version of the software for 
         their operating system.

- --------------------------BEGIN INCLUDED TEXT--------------------

Node.js -- remote DOS security vulnerability

Affected packages node < 8.8.0 6.10.2 <= node6 < 6.11.5 4.8.2 <= node4 < 4.8.5

Details

VuXML ID 	d7d1cc94-b971-11e7-af3a-f1035dd0da62

Discovery 	2017-10-17

Entry 		2017-10-25

Node.js reports:

Node.js was susceptible to a remote DoS attack due to a change that came in as
part of zlib v1.2.9. In zlib v1.2.9 8 became an invalid value for the 
windowBits parameter and Node's zlib module will crash or throw an exception 
(depending on the version)

References

CVE Name 	CVE-2017-14919

URL 		https://nodejs.org/en/blog/vulnerability/oct-2017-dos/

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWfKna4x+lLeg9Ub1AQj7jg//Q5HL640u8MobhosnoFbQs0gq3D4WCwBg
giBQtybkMiyiK0OB33I0PnCYPqlOaOtYGsVmQJkEsR9nu3dfJ2ZnlkKjm7XW5XJI
j7iFrvatQxOqpx9hcU6G+Q8mBkbBLz0Hx+EcG9E61AIZSAHJrDhiooDhMKOlN4JS
yycohswy8O/yd0bEpnfxHJ1dbkQTU3bq3VZjSYsj1L6yV7rnyWZLr1gLJghtAo87
X4Sel1pq3mFsFW+1PumzQJfhwnWLWNUjxQ8lqpey2EYtsu6CLPOiCuy1HZLN3pi+
FHwJGTxPR5sqTXYWGuDzhiwSoES2wBtOkV9HSkMN2R+jdmOHpgELgSxymVODyzCQ
MEHauqmIEPw8aN2W8QpdYX8kxt0MOmC4rfx3PP6i5WxGWYUb0UgBWz9N3ynveTWC
1yOFrcH4peR78h2pMVCKPT0cmbdROmz2WAH0eq+WholiPL492mU8uTneheyB9GMz
0iKSSjAXpCJa9OobhTu3drF2pd6L1QMCd72iBM9He4yJvTdMBe6MzLVHVBlEa30E
fXFbzuUvjqIBwIBIDIbTlQ6ywPKgFRvrPVgd1AgSE1eRpl0tihqWqnJ0s51IF8/t
d6RfkdW92OWQgKN7aBnFpG2vDO5WDDc4YMD1mo+Ei3UWQNBFrKTnygWQXz8yuv9o
AsU5cthlomc=
=89mo
-----END PGP SIGNATURE-----

« Back to bulletins