ESB-2019.0666 - [Win][UNIX/Linux][BSD] Node.js: Multiple vulnerabilities 2019-03-04

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2019.0666
                      February 2019 Security Releases
                               4 March 2019

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Node.js
Publisher:         Node.js
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
                   BSD variants
Impact/Access:     Access Privileged Data -- Remote with User Interaction
                   Denial of Service      -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2019-5739 CVE-2019-5737 CVE-2019-1559
                   CVE-2018-12121  

Reference:         ESB-2019.0649
                   ESB-2019.0630
                   ESB-2019.0620

Original Bulletin: 
   https://nodejs.org/en/blog/vulnerability/february-2019-security-releases/

- --------------------------BEGIN INCLUDED TEXT--------------------

February 2019 Security Releases

by Rod Vagg, 2019-02-28

(Update 28-February-2018) Security releases available

Summary 

Updates are now available for all active Node.js release lines. In addition to
fixes for security flaws in Node.js, they also include upgrades of Node.js 6
and 8 to OpenSSL 1.0.2r which contains a fix for a moderate severity security
vulnerability. The original announcement is included below.

For these releases, we have decided to withhold the fix for the
Misinterpretation of Input (CWE-115) flaw mentioned in the original
announcement. This flaw is very low severity and we are not satisfied that we
had a complete and stable fix ready for release. We will be seeking to address
this flaw via alternate mechanisms in the near future. In addition, we have
introduced an additional CVE for a change in Node.js 6 that we have decided to
classify as a Denial of Service (CWE-400) flaw.

We recommend that all Node.js users upgrade to a version listed below as soon
as possible.

Downloads & release details 

Downloads are available for the following versions. Details of code changes can
also be found on each release page.

  o Node.js 11.10.1 (Current)
  o Node.js 10.15.2 (LTS "Dubnium")
  o Node.js 8.15.1 (LTS "Carbon")
  o Node.js 6.17.0 (LTS "Boron")

Node.js: Slowloris HTTP Denial of Service with keep-alive (CVE-2019-5737) 

Categorization: Uncontrolled Resource Consumption / Denial of Service (CWE-400)

All actively supported release lines are vulnerable and the severity is LOW. An
attacker can cause a Denial of Service (DoS) by establishing an HTTP or HTTPS
connection in keep-alive mode and by sending headers very slowly thereby
keeping the connection and associated resources alive for a long period of
time. Attack potential is mitigated by the use of a load balancer or other
proxy layer.

This vulnerability is an extension of CVE-2018-12121, addressed in November,
2018. The 40 second timeout and its adjustment by server.headersTimeout apply
to this fix as in CVE-2018-12121.

CVE-2018-12121 originally reported by Jan Maybach (liebdich.com), keep-alive
variant reported by Marco Pracucci), fixed by Matteo Collina.

Impact:

  o All versions of Node.js 6 (LTS "Boron") are vulnerable
  o All versions of Node.js 8 (LTS "Carbon") are vulnerable
  o All versions of Node.js 10 (LTS "Dubnium") are vulnerable
  o All versions of Node.js 11 (Current) are vulnerable

Node.js: Denial of Service with keep-alive HTTP connections (CVE-2019-5739) 

Categorization: Uncontrolled Resource Consumption / Denial of Service (CWE-400)

Keep-alive HTTP and HTTPS connections can remain open and inactive for up to 2
minutes in Node.js 6.16.0 and earlier. Node.js 8.0.0 introduced a dedicated
server.keepAliveTimeout which defaults to 5 seconds. The behavior in Node.js
6.16.0 and earlier is a potential Denial of Service (DoS) attack vector.
Node.js 6.17.0 introduces server.keepAliveTimeout and the 5-second default.

The original fix was submitted by Timur Shemsedinov) and backported by Matteo
Collina.

Impact:

  o All versions of Node.js 6 (LTS "Boron") are vulnerable
  o All versions of Node.js 8 (LTS "Carbon") are NOT vulnerable
  o All versions of Node.js 10 (LTS "Dubnium") are NOT vulnerable
  o All versions of Node.js 11 (Current) are NOT vulnerable

OpenSSL: 0-byte record padding oracle (CVE-2019-1559) 

Severity: MODERATE

OpenSSL 1.0.2r contains a fix for CVE-2019-1559 and is included in the releases
for Node.js versions 6 and 8 only. Node.js 10 and 11 are not impacted by this
vulnerability as they use newer versions of OpenSSL which do not contain the
flaw.

Under certain circumstances, a TLS server can be forced to respond differently
to a client if a zero-byte record is received with an invalid padding compared
to a zero-byte record with an invalid MAC. This can be used as the basis of a
padding oracle attack to decrypt data.

Only TLS connections using certain ciphersuites executing under certain
conditions are exploitable. We are currently unable to determine whether the
use of OpenSSL in Node.js exposes this vulnerability. We are taking a
cautionary approach and recommend the same for users. For more information, see
the advisory and a detailed write-up by the reporters of the vulnerability.

Impact:

  o All versions of Node.js 6 (LTS "Boron") are vulnerable
  o All versions of Node.js 8 (LTS "Carbon") are vulnerable
  o All versions of Node.js 10 (LTS "Dubnium") are NOT vulnerable
  o All versions of Node.js 11 (Current) are NOT vulnerable

Acknowledgements 

Matteo Collina for vulnerability fixes.

Shigeki Ohtsu and Sam Roberts for the OpenSSL upgrade.

Jan Maybach and Marco Pracucci for reporting vulnerabilities via the
appropriate channels (see below).

Other members of the Node.js security team for reviews and discussion.

Original post is included below

Summary 

The Node.js project will release new versions of all supported release lines
on, or shortly after, Wednesday, February 27th, 2019 UTC. These releases will
incorporate at least two security fixes specific to Node.js, the highest
severity of which is 'low'.

The OpenSSL project has announced releases for the 26th which may impact some
release lines of Node.js and require inclusion in our security releases. The
highest severity indicated by OpenSSL is 'moderate' and impacts OpenSSL 1.0.2
which is used by Node.js 6.x and 8.x. A bug-fix release for OpenSSL 1.1.1 will
also be made available and we will assess the impact, if any, on Node.js 11.x
which uses this version. Node.js 10.x will not be impacted by the OpenSSL
releases.

Impact 

Releases for all actively supported release lines will be made available to fix
the following vulnerabilities.

All versions of Node.js 6 (LTS "Boron") are vulnerable to:

  o 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400)
    vulnerability
  o 1 Misinterpretation of Input (CWE-115) vulnerability
  o Possible update to OpenSSL 1.0.2r depending on assessed impact

All versions of Node.js 8 (LTS "Carbon") are vulnerable to:

  o 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400)
    vulnerability
  o 1 Misinterpretation of Input (CWE-115) vulnerability
  o Possible update to OpenSSL 1.0.2r depending on assessed impact

All versions of Node.js 10 (LTS "Dubnium") are vulnerable to:

  o 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400)
    vulnerability
  o 1 Misinterpretation of Input (CWE-115) vulnerability

All versions of Node.js 11 (Current) are vulnerable to:

  o 1 Uncontrolled Resource Consumption / Denial of Service (CWE-400)
    vulnerability
  o 1 Misinterpretation of Input (CWE-115) vulnerability
  o Possible update to OpenSSL 1.1.1b depending on assessed impact

Release timing 

Releases will be available at, or shortly after, Wednesday, February 27th, 2019
UTC, along with disclosure of the details for the flaws addressed in each
release in order to allow for complete impact assessment by users.

Contact and future updates 

The current Node.js security policy can be found at https://nodejs.org/en/
security/.

Please contact [email protected] if you wish to report a vulnerability in
Node.js.

Subscribe to the low-volume announcement-only nodejs-sec mailing list at https:
//groups.google.com/forum/#!forum/nodejs-sec to stay up to date on security
vulnerabilities and security-related releases of Node.js and the projects
maintained in the nodejs GitHub organization.

? Scroll to top
Linux Foundation Collaborative Projects

  o Report Node.js issue
  o Report website issue
  o Get Help

(C) Node.js Foundation. All Rights Reserved. Portions of this site originally (C)
Joyent.

Node.js is a trademark of Joyent, Inc. and is used with its permission. Please
review the Trademark Guidelines of the Node.js Foundation.

Linux Foundation is a registered trademark of The Linux Foundation.

Linux is a registered trademark of Linus Torvalds.

Node.js Project Licensing Information.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXHzBM2aOgq3Tt24GAQjNrhAAhbtacT3cPArukvAUY74a6TkC4aZx2JdY
IUys2yJW3BRl7yN69RwAJN1oU8zFWgPrVEmWvE0yLCZTs0AmbVB9RS2fREywngLt
p5NOlInbZXb9REjD5otlLu6KtrJvNi/Cn3JVCew0ofcOTeAtnyDfHWQpAh55nxXA
xm47fdyrwpaWecvrpbmbsHC36tDryAsGbhjcXTqgTWFNA61yDYIg05PmlWKkcfCt
eLDCNaw/HjU2MQcINQzHhhhxdqsRx4soYfPUMJswtSY3EO1xuuzuxAxrPHw0ee5/
lpQPqvqyaxJteLD6fVkFY+bMD3PcYqNf/iu54wFbPh+h7eOfxCjyZYNadKpAtohM
KZkcNJPm9WHTLFev/dHMdPwQGtUECLv8dWDwF71Pmt4ss8CXC7KdwgLulMu8ePO9
dzKBNJT1KObefEmfjlhO3Hg57fYLVecsT7N6q2yysXj16eVToL/t9XY/6PoM57Y9
rQcXXBJd+5DyHkc5eKIXXEV9YKH/Mnjr0C210mG4ny09otvWnjqFqOEoBDh4rgjz
z9gmtT3VBr8rS6rJ9DBeu50nr4D/pYRzhQnf0QggxuMOYwIBjFhJ+La/WVIK06Hu
U01Ts7MSUBacDY7MuF880hZbGDJ44sW+f0nKFZaHInCh+MeYxoC3qHNDtlbz3jgW
ruWfwXPIfP4=
=Akuz
-----END PGP SIGNATURE-----

« Back to bulletins